| ▲ | avianlyric 2 days ago | |
> So a bad actor can still issue a multi-year certificate for itself, and in the absence of side-channel verification the browser is none the wiser. How would a bad actor do that without a certificate authority being involved? | ||
| ▲ | syncsynchalt a day ago | parent [-] | |
The bad actor would also need to install a root for their custom CA on the end-user device. | ||