An attack on paypal
John S. Denker
jsd at monmouth.com
Sun Jun 8 18:16:27 EDT 2003
"James A. Donald" <jamesd at echeque.com> wrote:
>
>>Attached is a spam mail that constitutes an attack on paypal similar
>>in effect and method to man in the middle.
Yeah, I've been seeing that one for a month or
two now. I've seen several versions. Some of
them are quite well done. I imagine they get
more than a few victims.
I would have thought that the perpetrators would
have been too afraid of stings to try something
so bold. The existence of such schemes is a sad
commentary on the state of law enforcement.
>>The bottom line is that https just is not working. Its broken.
On 06/08/2003 05:47 PM, tom st denis wrote:
>
> I disagree. That attack is more akin to a "Hi, I'm calling from
> {insert bank here} and we need your CC info to update your file."
...
> So your "conclusions" are a bit off.
You guys are talking past each other.
All statements of the form.
-- foo is working (or not)
-- foo solves the problem (or not)
are so imprecise as to be useless.
It is better to talk about a definite specification.
Then we can ask whether foo meets the spec or not.
If you ask whether a given https implementation meets
the https specifications, then quite possibly it does.
So in this sense the technology is not "broken".
But if you ask whether https makes the world safe
for naifs to conduct e-commerce, by protecting them
from all possible spoofs and MITM attacks, then no,
it certainly does not do that. There are some who
rashly claimed it was supposed to do that, so in
this sense it is quite broken. It fails to meet
the broader spec.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list