undefined | Better HN

0 pointsjoshu9y ago0 comments

It is also a threat if your DNS is compromised.

0 comments

3 comments · 1 top-level

a3_nm9y ago· 2 in thread

Not when fetching over HTTPS.

The CA system is extremely broken, it won't protect you from a state actor. Also TLS + DANE is useless if the DNS is compromised.

acdha9y ago

That's a bit too much hyperbole to be useful: yes, a state which runs a trusted CA is a threat (at least for sites which don't use key-pinning) but there are a ton of other things you're at risk for that way like SMS-based auth and the police or black bag squad paying you a visit. Describing the CA model as extremely broken because it doesn't handle an out-of-scope threat doesn't help anyone change their behavior to avoid it.

j / k navigate · click thread line to collapse