• diabetic_porcupine@lemmy.world
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    7 days ago

    You can always use pihole to mess with your local dns and resolve to a fake website that looks like your social media of choice and collect their password

    • Anivia@feddit.org
      link
      fedilink
      arrow-up
      1
      ·
      6 days ago

      Only if the user ignores the “unsafe connection” warning in the browser, since you won’t have an SSL certificate for the domain

      • diabetic_porcupine@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        6 days ago

        Hmm good point… you would need the ca to sign off on it self signed doesn’t work… it’s just a file though right? Couldn’t you rip it from the real server?

        • Anivia@feddit.org
          link
          fedilink
          arrow-up
          1
          ·
          5 days ago

          it’s just a file though right? Couldn’t you rip it from the real server?

          No, that’s not how TLS works. The certificate is not exposed to the internet unless the admins of the webserver are extremely incompetent. That would defeat the entire purpose, not only could you impersonate the server, but the encryption would also be futile since anyone would have access to the private key.