Malicious JS - DNS variant

Evil user stories

As a authoritarian regime, I want to compel DNS server operators to direct users to my custom CryptPad front end because I can serve whatever JS I want and use people's keys to load from the actual API server.

countermeasures:

• HSTS and Certificate Transparency can partially help