HJ wrote:
Lets take this example, Gerv wrote in his paper that SSL History should be user accessible,
That's not what I wrote. In fact, the reason it's a hash is so that no-one can look at it and see a list of sites visited.
Gerv, you seem to have missed this one: news://news.mozilla.org:119/[EMAIL PROTECTED]
>> Another problem is that Gerv paper only covers SSL protected sites,
but most recent phishing attacks (example: http://www.rceasy.com/paypal/ ) do not even use SSL protection, so I might still be fooled, without being notified.
Of course you are being notified - the "www.paypal.com" and lock you normally see on PayPal are totally absent! That's a massive UI difference.
Well, that's not what I call a 'notification' (no protection) and in that case you don't need any notification at all.
/HJ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
