On Fri, Mar 18, 2011 at 10:16 AM, [email protected] <[email protected]> wrote: > hmm tested. > in my chromium, when i disabled HTTPS, the URL Bar doesn't show the > "green" https status. > > so i would say https isn't by default.
If they really care about security, even the main page should be in https otherwise someone could still hijack the main page and replace the link to login page to something like https://twetter.com/login and end user seeing the lock key in their browser would be deem it as safe. Even online banking didn't do it right by providing the main page in plain http. Imagine going to www.maybank2u.com.my, someone can replace the login link to https://www.meybank2u.com.my/mbb/m2u/common/M2ULogin.do?action=Login. To the end user, everything look fine:- 1. They type the url to maybank2u directly instead of clicking any link. 2. They can see the lock icon in their browser when clicking the login link. 3. The page look like the real maybank2u site. Unless they checked the SSL cert information on the login link or look closely at url in the address bar (80% chance end user wouldn't do this I guess), they 0wn3d already. Someone pls proved me wrong on this. _______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.my OWASP Malaysia Facebook http://www.facebook.com/OWASP.Malaysia OWASP Malaysia Twitter #owaspmy http://www.twitter.com/owaspmy
