[Dshield] CNN?

M Cook dshieldlists at versateam.com
Mon Oct 15 23:33:52 GMT 2007 

Johannes Ullrich wrote:

> Sorry to contradict Deb here. But I don't have issues with redirects
> like that. They are much more common then you think. For example do you
> enter "http://isc.sans.org" or "http://isc.sans.org/index.html" in your
> browser? After you log in to DShield/ISC, you are redirected... there
> are many situations that may require redirects like this or at least
> they will make it much easier to create reasonable URLs and maintain
> sanity on the backend.

The automatic redirect that goes to the default document in a directory 
is normal and common. I'd even be charitable and say you could put 
"www.sans.org" in the text and "http://www.sans.org/index.html" in the 
link, and I wouldn't complain. What I am complaining about is where the 
link contains something radically different from the text. True, many 
users wouldn't be able to see the distinction I am making, but I think 
it is valid, and if it were the norm, more users might begin to spot it, 
and protect themselves from phishing.

I'm not really worried that anyone on this list is going to get caught 
by a phishing email, or even be much confused by the CNN example I cite. 
And I'll grant you that CNN is free to do anything it wants that works. 
I just don't think it is a good idea for any legitimate business to use 
the same sneaky tactics as phishers, or any sneaky tactics at all for 
that matter.

> Phishers use logos... should we get rid of them too and use a text-only web?

I'm a fan of text-only e-mail, so my answer for email might not be 
objective ... and I'm not a fan of web pages with logos, images, and 
iframes that are loaded from different servers and networks, since most 
of the time they aren't there to benefit me, and sometimes one site is 
using the logo from another without permission. That's why I'd prefer an 
HTTPS landing page for that e-mail link -- the site can have all the 
images and logos they want, but visitors normally get warnings if some 
parts are not from secure sites, and there is a bandwidth overhead, so 
site designers might be encouraged to keep it a bit simple -- besides 
providing a higher standard of identification. I'm sure CNN already has 
a certificate, why not use it and show their customers that they meet 
higher standards for trustworthiness, instead of linking their 
reputation to the sleazy tactics of phishers.

</rant>

More information about the list mailing list