Does anyone know a good explainer text why hybrid HTTP/HTTPS solutions (aka "only login encrypted") are always insecure?
well, at least then you can't just grab the password from autofill anymore. Not saying it's a sane idea, but better than nothing.
-
-
(Chrome autofills passwords, even in frames, and autofilled creds can be grabbed from JS w/o user interaction)
-
(so a MITM attacker can iirc just grab your saved creds for all http sites he knows w/o user interaction)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.