I recall that subdomains are their own record inside a DNS, which would imply that anyone can claim that their server is a non-existent subdomain of the real domain

  • redpotatoes@lemm.ee
    link
    fedilink
    English
    arrow-up
    16
    ·
    edit-2
    7 hours ago

    They’d need a certificate authority to issue the certificate, and the victim’s browser would have to trust that authority.

    Edit: and the scammer would need to control the domain DNS server to use the subdomain, like another reply said, so the certificate alone wouldn’t help much.