|
|
|
|
|
|
by pauldino
4330 days ago
|
|
|
I think most non-EV SSL certificates these days are "verified" by sending a message to whatever e-mail address you have on file in your whois record. Also on Chrome at least certificate pinning should prevent that particular scenario. |
|
|
As to the whois thing, what is stopping me from hijacking a domain, changing the whois and then generating keys? The webadmin might never even know. You don't even need access to their email.
Or to put it more realistically: What is stopping the NSA from pressuring a domain registrar into altering the whois for a brief period in order to generate MITM keys?