On Tue, Sep 27, 2011 at 05:08:42PM -0500, Jimmy Hess wrote:
On Tue, Sep 27, 2011 at 8:27 AM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
how does tls/https help here? if you get sent to the 'wrong host' whether or not it does https/tls is irrelevant, no? (save the case of chrome and domain pinning)
Because the operator of the "wrong host" cannot obtain a SSL certificate for the right host's domain from a legitimate CA.
Oh, if only 'twere true... even without control of the DNS for the domain, there have been plenty of certificates erroneously issued. With DNS control, doing the necessary validation steps required for the issuance of a certificate is child's play. Then, of course, there's the issues with what constitutes a "legitimate" CA; the list of CAs that I'd never want to trust, but which are in my browser by default, is long and notorious. - Matt