: I think it's a matter more of how users being used to that could be : easily socially engineered on top of a website defacement, as opposed to : any technological security risk. Assuming the site redirected to is, in : fact, what it claims to be, then the user remains safe. The issue is: if : I get redirected from http://www.citicards.com to : https://www.citicards.com.rbn.ru, and don't notice it, I'm hosed. If I'm : used to seeing the domain change, then I am less likely to notice it. : There's probably also the underlying assumption in the hosting company : that the "non-secure" domain doesn't need to be as well protected, : thereby making a defacement changing the redirect more likely.
Even so, labeling this a vulnerability or 'design flaw' in a banking web site seems to be inappropriate given the typical uses and general acceptance of those words. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
