I recall that subdomains are their own record inside a DNS, which would imply that anyone can claim that their server is a non-existent subdomain of the real domain

  • @[email protected]English
    167 hours ago

    They’d need a certificate authority to issue the certificate, and the victim’s browser would have to trust that authority.

    Edit: and the scammer would need to control the domain DNS server to use the subdomain, like another reply said, so the certificate alone wouldn’t help much.

    • @over_clox
      -106 hours ago

      I’ve been able to downgrade https sites to plain http sites, through a series of loopholes which I won’t go into.

      • @Serinus
        44 hours ago

        So you’ve… compromised your own security. Grats?

        • ich_iel
          11 hour ago

          Checks own servers

          Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

          Yeah, I’d like to see that…