undefined | Better HN

0 pointsg-b-r2y ago0 comments

> the only difference from now is that your browser will display "secure" instead of "invalid cert". There is no other difference.

Oh that's SUCH as an insignificant difference!!!

> So to orchestrate an attack they would need to build an webbapp that is sufficient similar for you not to notice, take over your internet connection and break the certification process.

You can simply relay the requests to the original site/"webapp", no need to build one similar

0 comments

Jensson2y ago

> You can simply relay the requests to the original site/"webapp", no need to build one similar

Doesn't work if the app encrypts messages locally, so end to end encryption is still valid with this.

g-b-rOP2y ago

We're talking about normal browsing, not webapps performing their encryption

isilofi2y ago

Webapps are also vulnerable because the Javascript can be manipulated in a MitM attack.

The only way around this would be a "real" app.

g-b-rOP2y ago

True

j / k navigate · click thread line to collapse

0 comments

Jensson2y ago

> You can simply relay the requests to the original site/"webapp", no need to build one similar

Doesn't work if the app encrypts messages locally, so end to end encryption is still valid with this.

g-b-rOP2y ago

We're talking about normal browsing, not webapps performing their encryption

isilofi2y ago

Webapps are also vulnerable because the Javascript can be manipulated in a MitM attack.

The only way around this would be a "real" app.

g-b-rOP2y ago

True

j / k navigate · click thread line to collapse