Why wouldn't SSL help? Unless the offending exit node has the requested site's c... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

andrewksl on Oct 24, 2014 | parent | context | favorite | on: The Case of the Modified Binaries

Why wouldn't SSL help? Unless the offending exit node has the requested site's cert, there's almost no way they can carry out a MITM attack on an SSL request undetected. That's kind of the whole point of certs.

Or is this an indictment of Cloudfront offering to be your SSL termination point?

Animats on Oct 24, 2014 [–]

This is an indictment of Cloudfront offering to be your SSL termination point, and using multiple-domain certs to do it. Here's the Black Hat paper on how to exploit that.

https://bh.ht.vc/vhost_confusion.pdf

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact