On Wed, Jun 21, 2006 at 12:20:36AM -0700, Luigi Rizzo wrote: > On Wed, Jun 21, 2006 at 07:07:39AM +0000, John Birrell wrote: > > The fact that a lot of innocent (naive) people don't use https and certificates?! > > and so they would happily click on > > <a href="http://www.666.org/gimmeyourmoney">Secure Link to Your Bank</a> > > so we are not opening much in terms of security holes... You are making it worse because you open a new security hole: <a href="https://www.paypal.com/">www.paypal.com</a> does not take them to the _REAL_ www.paypal.com. This is not an issue about phishing where: <a href="http://some.dynamic.ip.addr/">www.paypal.com</a> makes it look like the link takes them to PayPal when it really doesn't. Most banks still don't use certificates even though they use HTTP. We need to retain the integrity of a DNS lookup. If there are any work arounds required for poor DNS lookups, then let an administrator configure them! -- John BirrellReceived on Wed Jun 21 2006 - 05:31:27 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC