Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"because any CA can attack you, whether you're their customer or not"

Can you (or someone) explain why this is? I don't understand.



Every CA in your trust store can issue certificates for every domain. "Attack", in this context, means issuing a trusted certificate that can be used to MitM users of your site. HPKP helps mitigate this risk on a Trust on First Use (TOFU) basis.


As long as the certificate is ultimately signed by a root CA in your computer's trust store, the certificate will be regarded as valid by your computer. So basically, any CA in your trust store or signed by a CA in your trust store can issue the certificates for anyone, anything and any domain. It doesn't matter if the owner of domain consents or not.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: