dshieldlists at versateam.com
Mon Oct 15 23:33:52 GMT 2007
Johannes Ullrich wrote:
> Sorry to contradict Deb here. But I don't have issues with redirects
> like that. They are much more common then you think. For example do you
> enter "http://isc.sans.org" or "http://isc.sans.org/index.html" in your
> browser? After you log in to DShield/ISC, you are redirected... there
> are many situations that may require redirects like this or at least
> they will make it much easier to create reasonable URLs and maintain
> sanity on the backend.
The automatic redirect that goes to the default document in a directory
is normal and common. I'd even be charitable and say you could put
"www.sans.org" in the text and "http://www.sans.org/index.html" in the
link, and I wouldn't complain. What I am complaining about is where the
link contains something radically different from the text. True, many
users wouldn't be able to see the distinction I am making, but I think
it is valid, and if it were the norm, more users might begin to spot it,
and protect themselves from phishing.
I'm not really worried that anyone on this list is going to get caught
by a phishing email, or even be much confused by the CNN example I cite.
And I'll grant you that CNN is free to do anything it wants that works.
I just don't think it is a good idea for any legitimate business to use
the same sneaky tactics as phishers, or any sneaky tactics at all for
> Phishers use logos... should we get rid of them too and use a text-only web?
I'm a fan of text-only e-mail, so my answer for email might not be
objective ... and I'm not a fan of web pages with logos, images, and
iframes that are loaded from different servers and networks, since most
of the time they aren't there to benefit me, and sometimes one site is
using the logo from another without permission. That's why I'd prefer an
HTTPS landing page for that e-mail link -- the site can have all the
images and logos they want, but visitors normally get warnings if some
parts are not from secure sites, and there is a bandwidth overhead, so
site designers might be encouraged to keep it a bit simple -- besides
providing a higher standard of identification. I'm sure CNN already has
a certificate, why not use it and show their customers that they meet
higher standards for trustworthiness, instead of linking their
reputation to the sleazy tactics of phishers.
More information about the list