top | item 45119222

(no title)

elondaits | 5 months ago

What about a malicious DNS (on a public spoofed or hacked WiFi) that forwards you to a lookalike domain? Unfortunately many times public WiFi doesn’t work with Google’s or Cloudflare’s DNS servers (I think the Deutsche Bahn’s WiFi was such a case, if I remember correctly, but I know I came across a few on the last few years while traveling). I don’t think there’s anything protecting against that when you’re using a browser.

Sometimes circumstances force one to connect to a public WiFi (e.g. airports, where WiFi is always super dodgy).

discuss

raquuk|5 months ago

I don't think a malicous DNS Server can redirect your request to a domain that does not result in a certificate warning when using HTTPS.

With browsers adopting DoH, a public WiFi should not be able to interfere with DNS much.

hiatus|5 months ago

HSTS solves this to some extent. If you've visited the domain in the past (or the site operator submitted to the HSTS preload list), a different certificate presented would be flagged by your browser.

mr_mitm|5 months ago

Not a different certificate, but one signed by an untrusted authority. HSTS won't let you bypass it.

There used to be a Firefox addon that could warn you if the actual certificate changed, but it died with manifest addons.

michaelt|5 months ago

Your better websites use "HSTS Preloading" to ensure users always get sent to the https version of the site - in which case even if the attacker redirected the DNS resolution, you'd just get an SSL error as the attacker wouldn't have a valid certificate.

Of course, an astonishing number of (even important, high-profile) websites don't bother with HSTS preloading ¯\_(ツ)_/¯