[Walkman]

Man, you don't even understand basic security practices.

When going from a HTTP page to a HTTPS page, what guarantees can you give that I see the original content and clicked the proper link and that I was not MITM-ed? A potential attacker can MITM and easily redirect me to any order page they want... This is security 101.

[rsync]

I understand the attack you've outlined just fine.

What you don't understand is that people that don't notice being redirected to a different domain are not smart enough to be using rsync.net in the first place.

So it's not an issue.

Or, I should say, in the fifteen years that we have been providing "cloud storage"[1] it hasn't been an issue.

[1] It wasn't called "cloud storage" back then - our service predates the term.

[Walkman]

Probably I (working in security and even checking certificates sometimes) would not even notice if it would point to a different domain like rsync-app.net or some random name with a valid cert. There are a ton of examples and valid points of putting different things to different TLDs. Why should I be suspicious? How should I know what domain, subdomain, whatever did you choose and why?

Maybe even https://order.rsync.net could be the link and YOU (the sysadmin of the service) might not even notice, because I'm pretty sure you don't check/monitor your DNS records every couple of minutes.

The reason "it did not happened yet", is not valid, because if could happen anytime in your service's lifetime. It's like an open door and no robbery happened yet, but the likelihood of it is happening is worse than if you at least close the door. It would be silly to complain "It has been open for a long time and there were no robbery." after it happened.

> "people that don't notice being redirected to a different domain are not smart enough to be using rsync.net in the first place."

This is just an assumption, I would not make that. You could be surprised. Sometimes even web developers don't understand how x509 certs and https work.