I would think it would be safer to block the site, or provide a warning dialog. (This is what I was expecting when I started reading the head post; I was bit surprised at the interventionism to actually go ahead and "fix" the site, maybe that would be a better default behavior).
btw Regarding unadvertised SSL equivalents, I have noticed if you login to gmail, you get SSL for login, but then http for web mailer. However if you edit the URL after login to https, it appears to work ok over SSL also. Adam On Mon, Sep 19, 2005 at 04:20:07PM -0700, John Gilmore wrote: > Perhaps the idea of "automatically" redirecting people to alternative > pages goes a bit too far: > > > 1. TrustBar will automatically download from our own server, > > periodically, a list of all of the unprotected login sites, including > > any alternate protected login pages we are aware of. By default, > > whenever a user accesses one of these unprotected pages, she will be > > automatically redirected to the alternate, protected login page. > > How convenient! So if I could hack your server, I could get all > TrustBar users' accesses -- to any predefined set of pages on the > Internet -- to be redirected to scam pages. > > A redirect to an "untrustworthy" page is just as easy as a redirect to a > "trustworthy" page. The question is who you trust. > > > BTW, TrustBar is an open-source project, so if some of you want to > > provide it to your customers, possibly customized (branded) etc., there > > is no licensing required. > > Also providing a handy platform for slightly modified versions, that will > take their cues from a less "trustworthy" list of redirects. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
