Hi Ian, You're right.
The solution is to send HTTP Permanent redirects (so that all the content is served over https) and to set Strict Transport Security headers (https://bugs.freenetproject.org/view.php?id=4809). Florent On Tue, Mar 22, 2011 at 07:10:12AM -0500, Ian Clarke wrote: > Out of interest, what is the security benefit of only showing our bitcoin > address if the user is viewing the website using HTTPS? > > Seems pointless to me, since: > > 1. The bitcoin address is not a secret > 2. If someone can do a MITM on the HTTP request, then they can edit the > message that tells people to switch to HTTPS, and replace it with their own > bitcoin address > > Ian.
