Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The amazing thing is that:

1) it doesn't happen more often

2) that anyone noticed

Its clearly early days. If they had impersonated a download server, they could have got users to download a spiked copy of the browser itself



There's also the possibility that it does happen often and no one notices, of course.


Makes me wonder how you'd approach the "how do I find bad certs" problem.

You'd think that an entity which, say, scrapes a large portion of the Web on a regular basis ... might be able to detect such things.

Meanwhile, there's CertWatch http://certwatch.simos.info/ and The Convergence Project http://convergence.io/


It was easily noticeable thanks to Chrome not trusting it in the first place (which also would have prevented spoofing the download server, though I suspect there's more to protect that than just a key).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: