[18524] in cryptography@c2.net mail archive
Re: Defending users of unprotected login pages with TrustBar 0.4.9.93
daemon@ATHENA.MIT.EDU (John Gilmore)
Tue Sep 20 17:28:01 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: herzbea@macs.biu.ac.il
Cc: cryptography@metzdowd.com
In-reply-to: <432EB4F6.6020504@cs.biu.ac.il>
Date: Mon, 19 Sep 2005 16:20:07 -0700
From: John Gilmore <gnu@toad.com>
Perhaps the idea of "automatically" redirecting people to alternative
pages goes a bit too far:
> 1. TrustBar will automatically download from our own server,
> periodically, a list of all of the unprotected login sites, including
> any alternate protected login pages we are aware of. By default,
> whenever a user accesses one of these unprotected pages, she will be
> automatically redirected to the alternate, protected login page.
How convenient! So if I could hack your server, I could get all
TrustBar users' accesses -- to any predefined set of pages on the
Internet -- to be redirected to scam pages.
A redirect to an "untrustworthy" page is just as easy as a redirect to a
"trustworthy" page. The question is who you trust.
> BTW, TrustBar is an open-source project, so if some of you want to
> provide it to your customers, possibly customized (branded) etc., there
> is no licensing required.
Also providing a handy platform for slightly modified versions, that will
take their cues from a less "trustworthy" list of redirects.
John
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
