Re: ~/.hosts patch

From: John Birrell <jb_at_what-creek.com>
Date: Wed, 21 Jun 2006 07:31:23 +0000
On Wed, Jun 21, 2006 at 12:20:36AM -0700, Luigi Rizzo wrote:
> On Wed, Jun 21, 2006 at 07:07:39AM +0000, John Birrell wrote:
> > The fact that a lot of innocent (naive) people don't use https and certificates?!
> 
> and so they would happily click on
> 
> 	<a href="http://www.666.org/gimmeyourmoney">Secure Link to Your Bank</a>
> 
> so we are not opening much in terms of security holes...

You are making it worse because you open a new security hole:

<a href="https://www.paypal.com/">www.paypal.com</a>

does not take them to the _REAL_ www.paypal.com.

This is not an issue about phishing where:

<a href="http://some.dynamic.ip.addr/">www.paypal.com</a>

makes it look like the link takes them to PayPal when it really
doesn't.

Most banks still don't use certificates even though they use HTTP.

We need to retain the integrity of a DNS lookup. If there are any work
arounds required for poor DNS lookups, then let an administrator configure
them!

--
John Birrell
Received on Wed Jun 21 2006 - 05:31:27 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC