There would be a number of ways to do this: - Strip SSL by for instance blocking... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		colde on June 13, 2019 \| parent \| context \| favorite \| on: Pika CDN – A CDN for Modern JavaScript There would be a number of ways to do this: - Strip SSL by for instance blocking port 443 and hoping they fall back to HTTP. - Get your own root certificate installed on the equipment of the user you are attacking. This is fairly common in corporate environments for instance. - MD5 collision attacks (although almost every certificate would be SHA signed these days)

allset_ on June 13, 2019 [–]

HSTS prevents the first of these if the client has connected to the server previously.

Chrome also hasn't trusted certs with MD5 since version 65.

snug on June 13, 2019 | [–]

HSTS Preload prevents that from happening even if they never visited the site

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact