HJ wrote:
Lets take this example, Gerv wrote in his paper that SSL History should be user accessible,
That's not what I wrote. In fact, the reason it's a hash is so that no-one can look at it and see a list of sites visited.
but I don't agree because what if I go to a public Internet cafe or use Internet from some public computer in my hotel?
Someone might add the wrong validation keys, and I'll end up visiting a phony site, without being notified about my error!
See my previous post on this. But, if you are suggesting this might happen, the previous malicious person may also install a malicious extension, or add dodgy certs to the root store, or anything. You can't trust a computer you don't have control of.
Another problem is that Gerv paper only covers SSL protected sites, but most recent phishing attacks (example: http://www.rceasy.com/paypal/ ) do not even use SSL protection, so I might still be fooled, without being notified.
Of course you are being notified - the "www.paypal.com" and lock you normally see on PayPal are totally absent! That's a massive UI difference.
Gerv _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
