An attack on paypal
James A. Donald
Sun Jun 8 17:35:36 2003
From: "James A. Donald" <jamesd@echeque.com>
To: <cypherpunks@lne.com>, <cryptography@metzdowd.com>
Date: Sun, 8 Jun 2003 11:55:20 -0700
Attached is a spam mail that constitutes an attack on paypal similar
in effect and method to man in the middle.
The bottom line is that https just is not working. Its broken.
The fact that people keep using shared secrets is a symptom of https
not working.
The flaw in https is that you cannot operate the business and trust
model using https that you can with shared secrets.
-------------- Enclosure number 1 ----------------
Date: Sun, 08 Jun 2003 02:50:24 +0000
From: Confirm <confirm@paypal.com>
Subject: Important Information Regarding Your PayPal Account
To: Jamesd <jamesd@echeque.com>
Dear PayPal Customer
<td valign="top"><p> </p>
This e-mail is the notification of recent innovations taken by PayPal to detect inactive customers and non-functioning mailboxes.
The inactive customers are subject to restriction and removal in the next
3 months.</p>
Please confirm your email address and Credit or Check Card information using the form below:
</b>using the form below:</p></td>
Information transmitted using 128bit SSL encryption.
Thanks for using PayPal!
This PayPal notification was sent
to this email address because you are a Web Accept user and
chose to receive the PayPal Periodical newsletter and Product Updates. To
Copyright© 2003 PayPal Inc. All rights reserved. Designated trademarks
and brands are the property of their respective owners. </td>
