[cabfpub] Brazilian bank DNS heist

[Gervase Markham]

On 10/04/17 07:29, Richard Wang via Public wrote:
> As I know, for Internet banking security in China, some bank developed
> its own client software that they don’t use browser, and the internal
> important communication use IP address + SSL certificate, and the SSL
> certificate is issued by the bank’s own CA.  This will solve the DNS
> heist, fake SSL certificate problem.

This is effectively another form of certificate pinning, except with all
the added downsides of running proprietary black-box software.

Gerv