[13519] in cryptography@c2.net mail archive
Re: An attack on paypal
daemon@ATHENA.MIT.EDU (Dave Howe)
Sun Jun 8 18:56:41 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Dave Howe" <DaveHowe@gmx.co.uk>
To: "James A. Donald" <jamesd@echeque.com>,
"Email List: Cypherpunks" <cypherpunks@lne.com>,
"Email List: Cryptography" <cryptography@metzdowd.com>
Date: Sun, 8 Jun 2003 23:43:29 +0100
James A. Donald wrote:
> Attached is a spam mail that constitutes an attack on paypal similar
> in effect and method to man in the middle.
>
> The bottom line is that https just is not working. Its broken.
HTTPS works just fine.
The problem is - people are broken.
At the very least, verisign should say "ok so '..go1d..' is a valid server
address, but doesn't it look suspiously similar to this '..gold..' site over
here?" for https://pseudo-gold-site/ - but really, if users are going to
fill in random webforms sent by email, they aren't going to be safe under
any circumstances; the thing could send by unsecured http to any site on the
planet, then redirect to the real gold site for a generic "transaction
completed" or even "failed" screen
A world where a random paypal hack like this one doesn't work is the same as
the world where there is no point sending out a Nigerian as you will never
make a penny on it - and yet, Nigerian is still profitable for the con
artists.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
