• cron@feddit.org
    link
    fedilink
    English
    arrow-up
    4
    ·
    2 months ago

    Surely they can do a man-in-the-middle attack and gemerate the required private keys and certs on the fly.

    • lurch (he/him)@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      this only works, if the client doesn’t know the server yet or disregards an already known key (you know, like SSH or web browsers telling you the key has changed)

      • ClemaX@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        2 months ago

        I don’t think that browsers do that. There is HSTS but I think that it only checks if the connection is using TLS.

    • hperrin@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      They could pretend to be any domain, yes, but you asked about inspecting a TLS stream, and afaik, there’s no way to do that without the private key. Once the TLS handshake begins, there wouldn’t be a chance for a man in the middle, so that kind of attack would have to be done before the connection is established.