Thrawn wrote:Well, if you really want to stop all HTTP traffic to Wells Fargo, then I'd again suggest the Force HTTPS feature, this time with '.wellsfargo.com'q
I can stop all http traffic to ME from insecure WF by not visiting the sites that aren't already HTTPS-secured in and of themselves.
The issue raised -- and as said, I'm not sure about this -- was stopping traffic from http WF to https WF. We can't stop that. But in the RP example, we stopped the secure page from sending us content that they got elsewhere.
My forcing HTTPS on http WF doesn't inherently make the http page any more secure against phishing attacks, MITM, XSS, etc.
(The hacker doesn't force HTTPS, LOL.)
The idea was to have no contact with, or content imported from, any http page at that domain.
OK, I've thought some more and realised that there's a good way to protect the encrypted online banking portion of the site, while allowing the general site to link to the login page.
If that is your wish, fine. I don't care to go through the general site at all, but rather start at the https login page. Not sure why you're so attached to the insecure page, or want to go through there to get to the secure login. (If I sound a little testy, please remember yesterday's PM: It''s been a *very* long day. )
and capable of extracting passwords from the Firefox password manager, if they're stored there and not protected by an addon like Secure Login or similar.
I think you know my feelings about storing passwords in a browser or browser add-on. (Maybe not?)
I would *never* store pws in an Internet-facing app. (Two words: Password Safe)
On an unrelated note, you've mentioned that it's better for people to ditch Google/Microsoft/Yahoo services, but Wells Fargo relies on Akamai?
Akamai has a much better reputation that either Google or MS.
(Both of the latter have been the subject of numerous lawsuits by various governments and other entities.)
There is no Akamai scripting at WF.
RP shows a request. When I blocked it, all that changed was that the WF logo disappeared from the page.
IOW, no *active content* from Akamai.
Even if they tried to plant a web bug, this user's practice of always restarting the browser before and after "sensitive" activities, which was derided by some, would dump the bug before I browsed anywhere else.
I don't have quite so low an opinion of Yahoo, or I wouldn't use their webmail (for non-sensitive messages; all else via Hushmail.)
What I do believe in, as a general rule, is Occam's Razor and the Principle of Least Privilege, both of which were axiomatic decades ago when resources were scarce, but have seemingly been discarded these days:
If you don't need it, don't allow it.
Certainly don't whitelist it. And delete it from Default W/L.
I went so far as to block Yahoo home page in Hosts, not because I distrust them, but it stops the annoying redirect every time I log out of Mail, which would take me to their portal page, full of distracting junk that eats bandwidth. The "Firefox can't connect" message, coming internally from a Hosts lookup, happens instantaneously.