You are viewing a single comment's thread from:

RE: A brief rant on password security [Edit: Not so brief after all]

in #security8 years ago

Ahh, yes. That's a misconfiguration on their part; looks like the raw domain, without the www, is configured to point to their mailserver, so [email protected] will work correctly (poorly done, should've had the A record point to the website and the MX record point to the mailserver), so if you manually type https://dashlane.com, it breaks.

That is badly insecure, because it means they don't have HSTS on dashlane.com, only on www.dashlane.com, meaning I could sslstrip them as you described, and the address bar would read dashlane.com instead of www.dashlane.com.

Coin Marketplace

STEEM 0.24
TRX 0.26
JST 0.041
BTC 98449.34
ETH 3495.58
USDT 1.00
SBD 3.36