Most folks know that cross-site scripting (XSS) bugs can be used to steal logon cookies, as this scenario is touted pretty often as a classic XSS exploit. How about an read-only site without requiring any logons, such as dictionary sites or some news...

I like the idea behind Extended Validation Cert a lot. It is designed to combat phishing problems. There are some well-known phishing victim sites, such as Paypal, Bank of America, EBay, etc, that would love this feature. Check out how IE7 green address...

You may wonder why OWA 2007 show cert warnings by default on most browsers. At the back of your mind, Microsoft has talked so much about trustworthy computing, and they must still do not get security. Exchange team has gone back and forth on this issue...