Marsh Ray wrote: > > Martin Rex wrote: > > > > Thinking about it, I feel slightly uneasy about some redirects, such as > > https://gmail.com -> 301 -> https://mail.google.com/mail > > > > I think these should never go without a warning. > > That bugs me too. Lots of sites do it though, usually with Javascript. > > > If my banks online-banking portal (https://www.<mybank>.de) > > would suddently redirect me to https://www.<mybank>.com before > > asking me for credentials and transaction authorization codes, > > that would be a real security problem, because www.<mybank>.com > > is not leased by my bank (it is apparently not currently leased to anyone) > > > > A hacker that breaks into a web-site in order to do trap > > victims > > The site is now 100% (to use the technical term) "pwned". > > It's not possible for a network security protocol to survive the > compromise of one of the endpoints. We can no longer reason about Alice > and Bob if Bob is allowed to be under the hypnotic control of Eve. True. I used the wrong words in what I was trying to say. There is definitely little that you can do about a full compromise of the real server. But blindly trusting browsers may easily turn seemingly small security vulnerability (every XSS, CSRF, content upload), that enables diverting a victim to the attackers own server seamlessly, close to equivalent to a full compromise of the real server for the purpose of capturing sensible or confidential information from the victim. -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf