Hacker News new | past | comments | ask | show | jobs | submit login

Because they would mirror the site and then add bad stuff, so it looks legit, and then change the DNS record to point to the mirror.



I cannot really recall that ever happening for, like, the last 10 years. I could see the case if they wanted to intercept mail or something, but then the administrator would notice quite fast what was going on (ie. not receive any mails...).


I see this all the time with Twitter. These days you don't even need to mirror the website; just run a proxy that edits the HTML on the fly. Of course, they just use existing malware to edit hosts file but easy to translate to simply stealing the domain.


I have done this with Facebook as part of a prank on a friend, its not hard to do!


Why would a mail interception not simply relay the mail back to the originally intended server (which, for obvious reasons, is happy to accept mail for the targetted domain)?

The point is very valid: someone who controls a domain can trivially MitM any communication with that domain over unencrypted HTTP. And given events of the past year, I wouldn't put it past them to be able to get a cert issued for the fraudulent domain too...


Unless they were making copies and forwarding the e-mails on.


This is why we have SSL. SSL protects against exactly these kind of Man in the Middle attacks.


It's not a man in the middle, it's a new man on the other end, and since he has the domain he can get a legit SSL cert for it.


If he has control over the domain but not the server, it's man in the middle. He'd have to redirect the nameservers to a new server, which would either request html from the original server and add malware on the fly, or create a replica of the original site with extra added malware.

Either way, though, without the private key to the SSL certificate, which he won't have without the original server, he can't pretend to be the original site on the other end of an SSL connection.


It doesn't matter if he has the private keys of the original server. He can MITM it with a brand new fully authenticated official SSL cert because he now owns the domain.

   Orig. Server <-- SSL --> MITM Server <-- SSL --> Client
The only thing that usually prevents this is that the MITM Server normally can't get an authenticated SSL cert for the domain and so the client can detect the fake cert.

If SSL worked like SSH then your browser would whine that the cert changed but the browsers currently don't do that. I think even convergence (http://convergence.io/) wouldn't detect this case because it looks to the outside world to be totally legit. Scary.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: