Re: link from http page to https page

[security curmudgeon <jericho () attrition org>]

: I think it's a matter more of how users being used to that could be 
: easily socially engineered on top of a website defacement, as opposed to 
: any technological security risk. Assuming the site redirected to is, in 
: fact, what it claims to be, then the user remains safe. The issue is: if 
: I get redirected from http://www.citicards.com to 
: https://www.citicards.com.rbn.ru, and don't notice it, I'm hosed. If I'm 
: used to seeing the domain change, then I am less likely to notice it.
:  There's probably also the underlying assumption in the hosting company 
: that the "non-secure" domain doesn't need to be as well protected, 
: thereby making a defacement changing the redirect more likely.

Even so, labeling this a vulnerability or 'design flaw' in a banking web 
site seems to be inappropriate given the typical uses and general 
acceptance of those words.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.