Kyle Hamilton wrote, On 2008-07-03 19:51: > https://www.paypal.com/cgi-bin/webscr/cgi-bin/webscr?cmd=_ssr&return=http%3A%2F%2Fpaypal-cgi-bin.s6.pl/?cgi-bin.webscrcmd=_login-run.webscrcmd=_account-run.DisputeTransactionID.2LC956793J776333Y > > This is a valid PayPal URL that issues a redirect to an external site, > which just happens (at this moment) to spoof the PayPal layout.
It doesn't even trigger any kind of a phishy site warning. > Is there any provision anywhere for a "you are leaving an EV site to > go to a non-EV SSL site or an unencrypted site" kind of warning? I think that's a great question. I think the answers are: - there is a message for encrypted->unencrypted transition, but it's off by default and you have to know how to use about:config to turn it on - there's no EV->nonEV https transition message > And if this isn't the best place for this kind of discussion, is there a > discussion group/list/newsgroup that would be better? I think the person you need to engage is Johnathan Nightingale. I suggest cross posting to both this group mozilla.dev.tech.crypto and also to mozilla.dev.security. Maybe even to mozilla.dev.apps.Firefox. /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto