[cabfpub] Brazilian bank DNS heist

Gervase Markham gerv at mozilla.org
Mon Apr 10 14:02:13 UTC 2017

On 10/04/17 07:29, Richard Wang via Public wrote:
> As I know, for Internet banking security in China, some bank developed
> its own client software that they don’t use browser, and the internal
> important communication use IP address + SSL certificate, and the SSL
> certificate is issued by the bank’s own CA.  This will solve the DNS
> heist, fake SSL certificate problem.

This is effectively another form of certificate pinning, except with all
the added downsides of running proprietary black-box software.


More information about the Public mailing list