> A user who checks for the green lock in https urls may not check that a "wrong... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		flukus on Aug 31, 2016 \| parent \| context \| favorite \| on: Google's login page accepts a vulnerable GET param... > A user who checks for the green lock in https urls may not check that a "wrong password" page reached via the google login page is on a different domain because they don't expect it to be. I wonder if you could use that new fangled css that changes the tab color to red, then the red unlocked icon looks like part of the error page styling.

kuschku on Aug 31, 2016 | [–]

Or just use lets encrypt to get a certificate for accountsgoogle.com ?

That ensures basically no one will notice a difference.

Manishearth on Aug 31, 2016 | [–]

That's a good idea. We'd need to apply it to all http:// pages too for it to work though.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact