"Taka Khumbartha" <scarreigns@xxxxxxxxx> wrote:
> is the issue here not with gmail, but perhaps javascript? can anyone
> confirm that there is no in-secure re-direction if javascript is
> dis-abled? if there still is (in-secure re-direction), please be
> specific about how to observe such an in-security.
The redirects I'm talking about are basic HTTP features
and don't depend on JavaScript at all.
It's possible to emulate redirects with JavaScript,
but if an attacker is already in the position to run code
on your system, she probably has better things to do than
just to redirect you.
If you want to see how a redirect looks like,
use a Privoxy section like:
{-limit-connect \
+redirect{http://tor.eff.org/} \
}
secure-login.example.org:443/
Enter https://secure-login.example.org/ in your browser
and see what happens. If you are still using Privoxy 3.0.3
use:
{+block \
+handle-as-image \
-limit-connect \
+set-image-blocker{http://tor.eff.org/} \
}
secure-login.example.org:443/
instead.
Fabian
--
http://www.fabiankeil.de/
Attachment:
signature.asc
Description: PGP signature