undefined | Better HN

0 pointsFroogo4y ago0 comments

I guess a concern could be that since this URL is insecure, it could redirect you wherever assuming your network is compromised (either their malicious URL, or even HTTP for the legit Heroku site assuming you don't have HSTS on it).

Obviously, you've checked the URL and seen that it's legit after, but realistically you should expect a legit email to not be feeding you a potentially insecure link.

0 comments

2 comments · 1 top-level

tialaramex4y ago· 1 in thread

Right. If you're on top of things then using plain HTTP links here didn't make anything worse, but if you aren't it's yet another unnecessary gift to bad guys because it's yet another opportunity for customers to get phished.

FroogoOP4y ago

Sorry, meant if the end user's network was compromised, not the server's.

Whether or not you're on top of your game, HTTP leaves you vulnerable to MITM attacks[0]. So this would leave the end user vulnerable to any of these attacks even assuming Heroku has everything else perfect.

[0] https://en.wikipedia.org/wiki/Man-in-the-middle_attack

j / k navigate · click thread line to collapse