Spoofing is one side of this, which TLS does indeed prevent. There’s also a question of if a certificate is issued to one host, can it be moved and successfully reused by any other host. There was a previous question about this TLS Plugin Automatic Hostname / IP Verification , and nothing has changed since afaik.