Bookmarks or favorites or whatever your browser of choice wishes to call them, for the https URLs. That, or remember to type in the https:// prefix.
- S -----Original Message----- From: Patrick W. Gilmore [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2008 11:01 PM To: [EMAIL PROTECTED] Subject: Re: Exploit for DNS Cache Poisoning - RELEASED On Jul 23, 2008, at 9:27 PM, Jasper Bryant-Greene wrote: > On Wed, 2008-07-23 at 21:17 -0400, Joe Abley wrote: >> Luckily we have the SSL/CA architecture in place to protect any web >> page served over SSL. It's a good job users are not conditioned to >> click "OK" when told "the certificate for this site is invalid". > > 'course, as well as relying on users not ignoring certificate > warnings, > SSL as protection against this attack relies on the user explicitly > choosing SSL (by manually prefixing the URL with https://), or > noticing > that the site didn't redirect to SSL. > > Your average Joe who types www.paypal.com into their browser may very > well not notice that they didn't get redirected to > https://www.paypal.com/ That did not even occur to me. Anyone have a foolproof way to get grandma to always put "https://"; in front of "www"? Seriously, I was explaining the problem to someone saying "never click 'OK'" when this e-mail came in and I realized how silly I was being. Help? -- TTFN, patrick
