Boris Zbarsky wrote:
Jean-Marc Desperrier wrote:
But, and as the link Eddy just reported shows, the attack is far from
being only for SSL.
I think we should reconsider the options available to make the domain
name more visible for http connexions.
What about a white version of the hostname display for http sites ?
Wait. Why does the domain matter at all for non-SSL connections? It's
not like we have any guarantees against MITM here...
Well, we don't have the option to change the world, and in practice
people just *do* send important login/password on http connections.
You do have a point though, maybe it's time to think if there's a way by
which mozilla could push toward more use of https to protect sensitive data.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
