An attack on paypal

James A. Donald jamesd at echeque.com
Thu Jun 12 17:36:04 EDT 2003


    --
On 11 Jun 2003 at 20:07, Steven M. Bellovin wrote:
> Let me point folk at http://www.securityfocus.com/news/5654 
> for a related issue.  To put it very briefly, *real*
> authentication is hard.

I don't think so.

Verisign's authentication is notoriously worthless and full of
holes, yet very few attacks have been based on getting
certificates issued to wrong party, or on stealing poorly
defended and readily accessible certificates, even though that
is quite easy to do.

One of the scams described in the paper you cite was the old
"www.e-go1d.com" scam, but done using paper, rather than the
internet -- the scammers registered a company name similar that
of a target  company owning a large block of IP addresses, and
printed letter head paper similar to that of the other company.

The problem was not that authentication was hard.  Passwords
would have sufficed.   Self signed public keys would have
worked even better.

    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     NoFj3E7m34BUCZIG2feG13OK1W+zx+gF7GsDX+Fm
     40IAMrSyeCwPFMzRybwYkgWLZ2JE97Ao595KgemVp







---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list