[13973] in bugtraq
Re: BUGTRAQ Digest - 18 Feb 2000 to 21 Feb 2000 (#2000-41)
daemon@ATHENA.MIT.EDU (Richard Fromm)
Tue Feb 22 22:22:40 2000
Mime-Version: 1.0
Content-Type: text/plain
Message-Id: <200002221856.KAA07377@relay.EECS.Berkeley.EDU>
Date: Tue, 22 Feb 2000 10:56:32 -0800
Reply-To: Richard Fromm <rfromm@CS.BERKELEY.EDU>
From: Richard Fromm <rfromm@CS.BERKELEY.EDU>
X-To: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Tue, 22 Feb 2000 00:00:15 PST."
<20000222080019.257891EF1D@lists.securityfocus.com>
> From: Andrew Bennett <abennett@CRUZIO.COM>
> Subject: Re: ebay sends passwords in the clear
> MIME-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"; format=flowed
>
> At 11:03 AM 2/16/00 -0800, rfromm@cs.berkeley.eduwrote:
> >I've been trying to get ebay to do something about this for a month and a
> >half, to no avail. See http://avocado.dhs.org/ebpd/ for details, including an
> >ebay password sniffer.
>
> I noticed that ebay has a link on their Sign In feature page to sign in via
> SSL. It's not the most obvious link. An easy way to get there:
>
> - when prompted for your id/password, below the box, click the Sign In link
> - when prompted again for your id/password, below the box, click the 'here'
> link
That's great! They didn't have it when I posted ebpd. So at least it looks
like I got something accomplished.
It's certainly not an easy thing to find, though. Just one example of how
their site could use a bit of redesign.
So most people are still likely to not use it. My guess is that they're
probably purposefully not publicizing it much at first, so that they can try
it out, get it debugged, measure the effect on the load on the server,
etc. under only limited use.
- Rich
