[13515] in cryptography@c2.net mail archive
Re: An attack on paypal
daemon@ATHENA.MIT.EDU (tom st denis)
Sun Jun 8 17:53:50 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 8 Jun 2003 14:47:02 -0700 (PDT)
From: tom st denis <tomstdenis@yahoo.com>
To: cryptography@metzdowd.com
In-Reply-To: <3EE32428.1173.13AC2C1@localhost>
--- "James A. Donald" <jamesd@echeque.com> wrote:
> Attached is a spam mail that constitutes an attack on paypal similar
> in effect and method to man in the middle.
>
> The bottom line is that https just is not working. Its broken.
I disagree. That attack is more akin to a "Hi, I'm calling from
{insert bank here} and we need your CC info to update your file."
That doesn't mean credit cards [nor your bank] are flawed. It means
you're an idiot for giving out the information.
Note that this "attack" doesn't actually exploit the automated side of
things. It doesn't learn the secret key [password] nor does it decrypt
packets [via https]. The attack is based on you giving out the
secrets, and alas, no crypto can really stop that [unless you stop
letting the users have the secrets].
So your "conclusions" are a bit off.
Tom
__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
