Adam Back wrote:
I would think it would be safer to block the site, or provide a
warning dialog.
Before we do the first redirection, we do ask the user. However, since
TrustBar is really part of our research on secure usability, we are
aware that asking the user is a very problematic
snip
David Wagner writes:
One thing that web sites could do to help is to always make
https://www.foo.com work just as well as http://www.foo.com, and
then browser plug-ins could simply translate http://www.foo.com -
https://www.foo.com for all sensitive sites. Of course, web site
I would think it would be safer to block the site, or provide a
warning dialog. (This is what I was expecting when I started reading
the head post; I was bit surprised at the interventionism to actually
go ahead and fix the site, maybe that would be a better default
behavior).
btw Regarding
Dare I say that the best must not be the enemy of the good?
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Amir Herzberg writes:
However, quite a few of these sites invoke SSL/TLS only _after_ user has
typed in her user name and pw, and clicked `submit`. This allows a MITM
adversary to send a modified login page to the user, which sends the pw
to the attacker (rather than encrypting it and sending to
Perhaps the idea of automatically redirecting people to alternative
pages goes a bit too far:
1. TrustBar will automatically download from our own server,
periodically, a list of all of the unprotected login sites, including
any alternate protected login pages we are aware of. By default,
John Gilmore wrote:
Perhaps the idea of automatically redirecting people to alternative
pages goes a bit too far:
Of course, users can turn this off for one page or for all, but that's
not answering yet John's comments below - I respond following them...
Also: I am not crazy about this
David Wagner wrote:
Amir Herzberg writes:
However, quite a few of these sites invoke SSL/TLS only _after_ user has
typed in her user name and pw, and clicked `submit`. This allows a MITM
adversary to send a modified login page to the user, which sends the pw
to the attacker (rather than
Most financial and other sensitive web sites use SSL/TLS to authenticate
the server and protect data from eavesdropping and from modification by
a Man In The Middle (MITM) adversary.
However, quite a few of these sites invoke SSL/TLS only _after_ user has
typed in her user name and pw, and
On Mon, Sep 19, 2005 at 02:54:14PM +0200, Amir Herzberg wrote:
We now added a mechanism
computes a hash of every unprotected site for which the user has
assigned name/logo. TrustBar compares this hash on subsequent accesses
to the same site. If the site is not modified in five subsequent
10 matches
Mail list logo
