Precisely. Tee way http works is strictly less secure than the most insecure HTTPS scenario.
If I wanted to mitm some HTTPS connection, I wouldn't do so by redirecting the victim to a fake HTTPS web page, but to a fake http one. The lack of warnings from the browser would make such an attack go unnoticed in many cases. That is, the lack of a warning from the browser in plain http makes the protection of ssl certificates much less effective. In the video I linked before moxie marlinspike proposes an alternative method to check the authenticity of a web site that is not based on CAs. I see some problems to his approach, but I agree with him that we need to look for something different than what we have right now. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at http://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
