On Oct 8, 2010, at 11:39 AM, Phillip Susi wrote: > On 10/8/2010 1:20 PM, Lucian Adrian Grijincu wrote: >> Yes, but what protection does this bring if: >> >> * the speaker enters "wiki.ubuntu.com" in the browser (default to HTTP) >> >> * the attacker does NOT redirect to a SSL site and just presents a >> (malicious) HTTP page >> >> * the speaker has no clue that wiki.ubuntu.com should normally be on HTTPS > > My thoughts exactly. This is an extraordinarily contrived reason to > always use ssl. Not to mention that ANY site that says to add a > repository hosted on some random server you have never heard of should > probably cause you to think twice. If it would be that obvious to > people watching changes to the wiki, it should be just as obvious to > someone reading it. >
Right, though if that site is *delivered via ssl* and the cert is from a trusted organization, you can trust the source of that information.. if you click "history" you know you're getting the real history. So if the attacker did not redirect to SSL, then you are not on an SSL site, and you should be *suspicious*. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
