(crossposting this between dev-tech-crypto and dev-security per Nelson Bolyard's suggestion)
One of my colleagues has managed to locate a site that: a) goes to the official paypal site b) redirects off of the paypal site c) ends up landing on a paypal spoof without: d) triggering any notification of an EV site being left e) triggering the phishy/phorgery warning (this has changed at approximately 10:30pm on 03Jul2008) We have been unable to figure out any way to submit a site to the phish filter (in firefox3), and given the recent hoohah about EV certificates and their usage for validation I'm concerned that people who have their navigation toolbars turned off aren't going to see the problems until it's too late. I'm told that there is no code in place for notification of leaving an EV site for another site; I believe this is an oversight that should be fixed (this is separate from the "SSL to non-SSL" config preference which isn't enabled by default). Thanks, -Kyle H On Thu, Jul 3, 2008 at 9:09 PM, Nelson Bolyard <[EMAIL PROTECTED]> wrote: > Kyle Hamilton wrote, On 2008-07-03 19:51: >> https://www.paypal.com/cgi-bin/webscr/cgi-bin/webscr?cmd=_ssr&return=http%3A%2F%2Fpaypal-cgi-bin.s6.pl/?cgi-bin.webscrcmd=_login-run.webscrcmd=_account-run.DisputeTransactionID.2LC956793J776333Y >> >> This is a valid PayPal URL that issues a redirect to an external site, >> which just happens (at this moment) to spoof the PayPal layout. > > It doesn't even trigger any kind of a phishy site warning. > >> Is there any provision anywhere for a "you are leaving an EV site to >> go to a non-EV SSL site or an unencrypted site" kind of warning? > > I think that's a great question. I think the answers are: > > - there is a message for encrypted->unencrypted transition, but it's off by > default and you have to know how to use about:config to turn it on > > - there's no EV->nonEV https transition message > >> And if this isn't the best place for this kind of discussion, is there a >> discussion group/list/newsgroup that would be better? > > I think the person you need to engage is Johnathan Nightingale. > I suggest cross posting to both this group mozilla.dev.tech.crypto and > also to mozilla.dev.security. Maybe even to mozilla.dev.apps.Firefox. > > /Nelson > _______________________________________________ > dev-tech-crypto mailing list > [EMAIL PROTECTED] > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
