Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> I've never seen a cert error in the wild that wasn't an expiration of a valid cert or a misconfiguration.

I have. Usually caused by a captive portal.

> The boogeyman of MITM attacks which PKI certs protect from is used to justify a lot of terrible changes to the web that aren't reflected by reality.

The move to use HTTPS everywhere was started in response to packet sniffing tools like Firesheep. That’s not a boogeyman; it’s a proof of concept that works in realistic scenarios.

> Why MITM Amazon when people will happily treat an order email sent from a Gmail account as legitimate?

So what? How about solving both problems?



Captive portals aren't malicious. They're arguably helpful. But I've never seen a captive portal using fake certificates either.


Whether they’re malicious or not, I don’t want to send them the session cookie for an unrelated website.


So scope cookies to the SSL certificate instead of the domain name, or simply offer to clear them for a domain whenever you bypass the HSTS on one.


> So scope cookies to the SSL certificate

And invalidate every user's session whenever the server's certificate is renewed??


> But I've never seen a captive portal using fake certificates either.

I never seen a captive portal using a valid certificate either. Not like I saw many captive portals (last time was like... 2018?) but still.


>using fake certificates

What's the definition of a fake certificate? Self signed? Signed by a real CA, but for a different domain (the captive portal operator's generally)?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: