[13585] in cryptography@c2.net mail archive
Re: The real problem that https has conspicuously failed to fix
daemon@ATHENA.MIT.EDU (Jeffrey I. Schiller)
Wed Jun 11 16:57:19 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 11 Jun 2003 16:10:21 -0400
From: "Jeffrey I. Schiller" <jis@mit.edu>
To: roy@rant-central.com
Cc: martin f krafft <madduck@madduck.net>, cypherpunks@lne.com,
cryptography@metzdowd.com
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig52425A3D7C0CC001A46D03D0
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Folks, this isn't an https (or even http) problem. It is a tough user
interface issue. Note: The form posting goes to www.pos2life.biz, which
doesn't remotely look like paypal.com!
To make matters worse, there are plenty of businesses that send you leg
imitate email that comes from a "random" looking place. Just today I
received one from MIT's Alumni Association, but the actual source was
something like m0.email-foobar.com (or something). Obviously the Alumni
Association outsources the sending of the mail to some third party
company. So even if we came up with some fancy was of saying "This form
doesn't post to the same place this page came from [never mind that the
original of an e-mail form is ill defined]" won't help.
I also received this scam mail. There were only two hints of badness
(besides the obvious request for personal info that paypal shouldn't
need) one was the form posting and the other was the "Received-by" line
which my mail system put on the message which showed its original at a
suspicious place (I believe in Japan, but I may have remembered wrong,
it didn't look right at the time).
This is a social problem. Technical measures can help, but won't solve
it, I am afraid.
-Jeff
Roy M.Silvernail wrote:
> On Sunday 08 June 2003 06:11 pm, martin f krafft wrote:
>
>>also sprach James A. Donald <jamesd@echeque.com> [2003.06.08.2243 +0200]:
>>
>>>(When you hit the submit button, guess what happens)
>>
>>How many people actually read dialog boxes before hitting Yes or OK?
>
>
> It's slightly more subtle. The action tag of a form submission isn't usually
> visible to the user like links are. In the scam copy I received, all the
> links save one pointed to legitimate PayPal documents. Only the <form
> action= gave it away, and you have to view source to see that.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
--------------enig52425A3D7C0CC001A46D03D0
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+54y08CBzV/QUlSsRAuwfAKCx9zgJ8ekDb08Nl0QTSZubZUl/kACeLp5V
xue9WtAePR4EyV76hJhg3WI=
=cxfP
-----END PGP SIGNATURE-----
--------------enig52425A3D7C0CC001A46D03D0--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
