An attack on paypal
tom st denis
tomstdenis at yahoo.com
Sun Jun 8 17:47:02 EDT 2003
--- "James A. Donald" <jamesd at echeque.com> wrote:
> Attached is a spam mail that constitutes an attack on paypal similar
> in effect and method to man in the middle.
>
> The bottom line is that https just is not working. Its broken.
I disagree. That attack is more akin to a "Hi, I'm calling from
{insert bank here} and we need your CC info to update your file."
That doesn't mean credit cards [nor your bank] are flawed. It means
you're an idiot for giving out the information.
Note that this "attack" doesn't actually exploit the automated side of
things. It doesn't learn the secret key [password] nor does it decrypt
packets [via https]. The attack is based on you giving out the
secrets, and alas, no crypto can really stop that [unless you stop
letting the users have the secrets].
So your "conclusions" are a bit off.
Tom
__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list