[plexicle]

If you found a way to have the address bar show an HTTPS lock on a Google domain despite actually being on one, then you've found a big hole and you could make a lot of money by reproducing/reporting this security flaw.

The fact that you have found "several ways" is intriguing. You are either mistaken, or you're one of the greatest security researchers out there.

[Herrera]

I already did report them. The first one was fixed (CVE-2015-6782), got $1k from Google. There are three more they are working on.

[seccess]

In that case, way to go, that is very impressive! I'm surprised the bounty was so low, honestly.

In response to your first comment, I should clarify that checking for a valid HTTPS URL SHOULD be sufficient, barring implementation errors in the browser. Of course, if the browser is insecure, all bets are off wrt web security. Implications may range far beyond phishing attacks in that case.

[Herrera]

Thank you! I got involved with the security world recently and I'm really enjoying it. And I would like to clarify myself, the comment I made earlier was a little ambiguous. The bug that got fixed only spoofs the omnibox and not the HTTPS lock. The others spoof both. That said, when I am able to disclose these vulnerabilities, I intend to write a post about them.

[seccess]

You should, I would love to read that :)

[jsprogrammer]

>Of course, if the browser is insecure, all bets are off wrt web security.

I guess this is a no go for now, then?

>There are three more they are working on.

[ppereira]

Wow, this thread reminded me of the "best HN comeback of all time":

https://news.ycombinator.com/item?id=35079