Henry B. Hotz wrote: > > [...] For example the user may trust a dedicated discovery service > or identity service that securely redirects requests from the source > to a target domain. Thinking about it, I feel slightly uneasy about some redirects, such as https://gmail.com -> 301 -> https://mail.google.com/mail I think these should never go without a warning. If my banks online-banking portal (https://www.<mybank>.de) would suddently redirect me to https://www.<mybank>.com before asking me for credentials and transaction authorization codes, that would be a real security problem, because www.<mybank>.com is not leased by my bank (it is apparently not currently leased to anyone) A hacker that breaks into a web-site in order to do trap victims might be less easily detected if he doesn't subvert the entire site and tries to send collected data to external places, but instead puts redirects into place that browsers will blindly and silently follow, maybe additionally filtering the clients that will be redirected based on their origin, so that the helpdesk and security guys can not immediately repro it with their browsers. Should a users decision to trust a particular service with a particular issue always imply that this particular service is a fully trusted naming service (i.e. one that performs secure name transformations)? -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf