[ryanlol]

MAS's CDN that is. The same CDN they were using before the hack even happened.

[Dylan16807]

But it being an external CDN means that there is no indication that the actual servers they have control of were tampered with. The possibility that HSTS could have saved the day is just as valid. There is no indication that the CDN got these incorrect files with any kind of encryption or signing.

[ryanlol]

So CDN just works without having the SSL certs?

[Dylan16807]

What? A CDN accessed over TLS needs some kind of cert, sure. I don't see how this connects to whether the CDN pulls off the wrong server.

Obviously if the CDN has cert X then any authentication it may have should use cert Y.

[ryanlol]

Malaysiaairlines.com is proxied by Akamai CDN, surely Akamai has access to the certificate used for malaysiaairlines.com then.