|
|
|
|
|
|
by omegabravo
721 days ago
|
|
|
How would they have got a proper CA signed cert for a domain they don't own? HSTS will only make a HTTPS connection. Without the valid certificate, they should get a warning. The only way this "works" is if a captive portal pops up a browser to a site that looks the same like amaz0n.com. Password manager wouldn't popup, but many people don't use them. Faking DNS also won't help with the TLS warning, they won't have the certificate. Basically, this shouldn't be possible with HSTS. |
|
|
No need. People probably don't look closely at the domain name.