@jdstrand: I may have not explained this ideally. Yes, EV certs will protect us if your router is trying to lie to you about where paypal.com is, but they don't help at all if my app shows something which looks like the trust-store dialog but actually isn't. Users will then type their Ubuntu One password into it, which we don't want them to do, but there's no way of telling whether something that looks like a secure OS- presented dialog actually *is* that secure OS-presented dialog.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu. https://bugs.launchpad.net/bugs/1489643 Title: [pay UI] Paypal login cannot be assured to be from paypal Status in Canonical System Image: Confirmed Status in pay-ui: Triaged Status in Ubuntu UX: Triaged Status in webbrowser-app package in Ubuntu: Confirmed Bug description: When paying for an app with Paypal, the Paypal login screen is presented in an Ubuntu wrapper. There is no indication on this page that I'm actually looking at paypal.com rather than being phished or that some bad DNS has pointed me to a wrong site. The padlock in the top corner doesn't indicate anything I'm inclined to believe -- is it showing that the connection is https? Has it verified that I'm really talking to Paypal? How can I know that? This is encouraging people to type their Paypal password into phishing sites. The previous step in the purchase process, where I'm choosing which payment system to use, also displays a padlock, and that hasn't connected to any payment site at all. To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1489643/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
