Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In this case it just acts as a DNS resolver. That's potentially risky when resources don't use SSL, but far less than a browser extension that can change a page in place, inject JavaScript, and record keystrokes on all pages.


> resources don't use SSL

Huh? DNS is hit even if the site is SSL. Unless the site has HSTS, and you've got to the site before; DNS poisoning is very much doable.


Yes, but the hijacker will still need to present a valid cert for that domain, which is much harder.


How would the attacker do anything useful with a SSL connection attempt? They can either send the real certificate, and then not be able to decrypt the data, or send a self-signed cert which the OS/browser wouldn't trust?

Are you thinking of some downgrade attack vector?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: