|
|
|
|
|
|
by itsadok
4569 days ago
|
|
|
IsTom's comment was about how an HTTP-served page might be modified to make the "secure" links actually point to a non-HTTPS fake login page (for example). This assumes the user will not notice that the connection is not secure (which I think is a fair assumption). Given that, another attack might be to mitm DNS and serve an entirely fake Amazon site, all in HTTP, and the user will not notice there's anything wrong. I think that's the point mro and troels were trying to make. The only way I can imagine to mitigate this would be to use HSTS on the amazon.com home page. |
|
|