On Thu, 2008-07-24 at 09:51 +0200, Robert Kisteleki wrote:
Patrick W. Gilmore wrote:
Anyone have a foolproof way to get grandma to always put "https://" in front of "www"?
I understand this is a huge can of worms, but maybe it's time to change the default behavior of browsers from http to https...?
I'm sure it's doable in FF with a simple plugin, one doesn't have to wait for FF4. (That would work for bookmarks too.)
It probably wouldn't help. In this case, if I was the attacker, I'd just find a company selling "Domain Validated" certs whose upstream nameserver was vulnerable (there's enough "Domain Validated" certificate pushers now that this shouldn't be hard) Then you spoof the domain from their point of view, obtain a cert, and now HTTPS will work with no error message, almost certainly fooling anyone's grandma. -Jasper