Hacker News new | past | comments | ask | show | jobs | submit login

No kidding... this is a problem they created by hiding/obfuscating the URL scheme. If the majority of URLs you visit start with http:// or https://, then data: stands out like the proverbial sore thumb.



That requires that you know what you're doing, though. Non-technical people are probably more inclined to think along the lines of "huh, odd, but everything looks fine, so it's probably my fault it looks like that"


In that case why bother with using a data url at all? They could just use "www.paypal.com.cgi-bin.webscr.xxxxxxxxx.myevilsite.com"


That way, they don't have to bother with a domain registration, either. A domain registration is neither free of charge nor entirely free of risk.


They could just create subdomains on a compromised domain they control belonging to someone else.


Did they hide it? I see "https://" in my Firefox.


They show https:// but they hide http://


Oh, I honestly would've missed this, because so few sites I browse are in cleartext anymore. They may as well just display a giant "INSECURE" banner, instead of http://, though.


FWIW, this recently landed in Firefox Nightly:

security.insecure_connection_icon.enabled

security.insecure_connection_icon.pbmode.enabled

Though it's still disabled by default (currently the insecure connection icon is only shown if a password field is present on a http page / the form action url is http).


They will, and they already do if that page includes a password form field :)




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: