Hacker News new | past | comments | ask | show | jobs | submit login

If someone does that you’ve already been pwned. In reality you limit the CA to be ___domain scoped. I don’t know why ___domain-scoped CAs aren’t a thing.



> If someone does that you’ve already been pwned

Then why use encryption at all when your threat model for encrypted communication can't handle a malicious actor on the network?


Because there are various things in HTML and JS that require https.

(Though getting the browser to just assume http to local domains is secure like it already does for http://localhost would solve that)




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: