[HTTPS-Everywhere] In Google.xml, why "[^/@:]"?
Osama Khalid
osamak at gnu.org
Fri Dec 24 12:49:20 PST 2010
> Misspelled URLs could indicate an attempt to trick the user. We (if
> not the website operators) really should analyse them and warn the
> user if appropriate.
It's true that this can be the case, but I don't think we can overcome
this by a simple, publicly available regex. Yes, our regex will help
if the attacker tried to track users activity using a fake domain
named "www.google.%2.aa", but it'd do nothing for "www.google1.com".
I just think that the regular Firefox message should be shown if
something is wrong with the domain because that'd out of
HTTPSEverywhere scope.
--Osama Khalid
More information about the HTTPS-everywhere
mailing list