On 12/18/2014 05:55 PM, Michael Martinez wrote: > No it doesn't need a certificate. A MITM can be executed through a > compromised or rogue router. It's simple enough to set up a public > network in well-known wifi hotspots and attract unwitting users. Then > the HTTPS doesn't protect anyone's transmission from anything as the > router forms the other end of the secure connection and initiates its > own secure connection with the user's intended destination (either the > site they are trying to get to or whatever site the bad guys want them > to visit). It sounds like you're saying that browsers don't verify the X.509 certificate presented by the https origin server, or at least that they don't verify that the hostname matches. This is a serious and extraordinary claim. Please provide evidence for it. --dkgReceived on Thursday, 18 December 2014 23:07:40 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC