An attack on paypal

tom st denis tomstdenis at yahoo.com
Sun Jun 8 17:47:02 EDT 2003


--- "James A. Donald" <jamesd at echeque.com> wrote:
> Attached is a spam mail that constitutes an attack on paypal similar 
> in effect and method to man in the middle.
> 
> The bottom line is that https just is not working.  Its broken.

I disagree.  That attack is more akin to a "Hi, I'm calling from
{insert bank here} and we need your CC info to update your file."

That doesn't mean credit cards [nor your bank] are flawed.  It means
you're an idiot for giving out the information.

Note that this "attack" doesn't actually exploit the automated side of
things.  It doesn't learn the secret key [password] nor does it decrypt
packets [via https].  The attack is based on you giving out the
secrets, and alas, no crypto can really stop that [unless you stop
letting the users have the secrets].

So your "conclusions" are a bit off.

Tom

__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list