[Owasp-Malaysia] twitter with HTTPS

Mohd Kamal Bin Mustafa kamal at smach.net
Fri Mar 18 07:10:10 EDT 2011


On Fri, Mar 18, 2011 at 10:16 AM, najmi.zabidi at gmail.com
<najmi.zabidi at gmail.com> wrote:
> hmm tested.
> in my chromium, when i disabled HTTPS, the URL Bar doesn't show the
> "green" https status.
>
> so i would say https isn't by default.

If they really care about security, even the main page should be in
https otherwise someone could still hijack the main page and replace
the link to login page to something like https://twetter.com/login and
end user seeing the lock key in their browser would be deem it as
safe.

Even online banking didn't do it right by providing the main page in
plain http. Imagine going to www.maybank2u.com.my, someone can replace
the login link to
https://www.meybank2u.com.my/mbb/m2u/common/M2ULogin.do?action=Login.
To the end user, everything look fine:-

1. They type the url to maybank2u directly instead of clicking any link.
2. They can see the lock icon in their browser when clicking the login link.
3. The page look like the real maybank2u site.

Unless they checked the SSL cert information on the login link or look
closely at url in the address bar (80% chance end user wouldn't do
this I guess), they 0wn3d already. Someone pls proved me wrong on
this.


More information about the Owasp-Malaysia mailing list