On 03/04/2009 03:36 PM, Boris Zbarsky:
Florian Weimer wrote:
Most users are not subject to MITM attacks
This may or may not be true given the prevalence of wireless networks
out there... we've had a number of reports of in-the-wild MITM attacks
by wireless network operators.
Yes, many routers and WiFi products are configured by default to allow
such attacks. I can confirm more complaints arriving also at the CA I work.
Yes, most of these are trying to phish sites that are normally SSL, so
we should be making it very easy to tell when a site is not SSL or
doesn't have the expected hostname over SSL. Making non-SSL sites look
more like SSL ones even by similarly highlighting the hostname is asking
for trouble.
Actually this is correct too. How can we indicated to a user that this
site really should be secured? When do we expect SSL? On submit or on
password fields in a form (as the starting page should be really secured
too, not only the POST target)? Could there be indicators which makes
the user aware that this is not an SSL secured site (since regular http
doesn't throw neither a warning nor any other annoyance)?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
