Defending users of unprotected login pages with TrustBar 0.4.9.93

Adam Back adam at cypherspace.org
Tue Sep 20 18:39:10 EDT 2005


I would think it would be safer to block the site, or provide a
warning dialog.  (This is what I was expecting when I started reading
the head post; I was bit surprised at the interventionism to actually
go ahead and "fix" the site, maybe that would be a better default
behavior).


btw Regarding unadvertised SSL equivalents, I have noticed if you
login to gmail, you get SSL for login, but then http for web mailer.
However if you edit the URL after login to https, it appears to work
ok over SSL also.

Adam

On Mon, Sep 19, 2005 at 04:20:07PM -0700, John Gilmore wrote:
> Perhaps the idea of "automatically" redirecting people to alternative
> pages goes a bit too far:
> 
> > 1. TrustBar will automatically download from our own server,
> > periodically, a list of all of the unprotected login sites, including
> > any alternate protected login pages we are aware of. By default,
> > whenever a user accesses one of these unprotected pages, she will be
> > automatically redirected to the alternate, protected login page.
> 
> How convenient!  So if I could hack your server, I could get all
> TrustBar users' accesses -- to any predefined set of pages on the
> Internet -- to be redirected to scam pages.
> 
> A redirect to an "untrustworthy" page is just as easy as a redirect to a
> "trustworthy" page.  The question is who you trust.
> 
> > BTW, TrustBar is an open-source project, so if some of you want to
> > provide it to your customers, possibly customized (branded) etc., there
> > is no licensing required.
> 
> Also providing a handy platform for slightly modified versions, that will
> take their cues from a less "trustworthy" list of redirects.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list