On Thu, Jan 14, 2016 at 11:17 AM, Ian Kelly <ian.g.ke...@gmail.com> wrote: > On Wed, Jan 13, 2016 at 3:19 AM, Chris Angelico <ros...@gmail.com> wrote: >> You're quite probably right that obfuscating the display is security >> theatre; but it's the security theatre that people are expecting. If >> you're about to enter your credit card details into a web form, does >> it really matter whether or not the form itself was downloaded over an >> encrypted link? But people are used to "look for the padlock", which >> means that NOT having the padlock will bother people. If you ask for a >> password and it gets displayed, people will wonder if they're entering >> it in the right place. > > I realize that I'm taking this thread off-topic, but yes it's > important that the form itself be downloaded over a secure connection. > If I can MitM the form response over an insecure connection, then I > can also MitM the form itself. And if I can do that, then I can > deliver exactly the form you were expecting, but with an added script > that will read your credit card number as you type it and then fire it > off to be stored on my server before you've even hit the Submit > button.
Noscript FTW. :) ChrisA -- https://mail.python.org/mailman/listinfo/python-list
