[HTTPS-Everywhere] Microsoft.com/security/ exclusion needed
Chris Palmer
chris at noncombatant.org
Mon Oct 18 10:16:45 PDT 2010
> I wonder if this was intended as some kind of anti-clickjacking measure or
> as a defense against cookie theft via mixed content? In the former case it
> seems broken; in the latter case perhaps not.
Defeating clickjacking is quite hard indeed, and most such mechanisms are
broken. I also doubt it's intended as any kind of cookie theft defense ---
redirecting to unsafe transport is no way to stop cookie theft. :)
I can't imagine what they are thinking. We should lobby them to change it so
that HTTPS works.
More information about the HTTPS-everywhere
mailing list