 Posted: Wed Dec 12, 2007 3:09 pm Post subject: |
|
| Well stealing your password is not possible if the action tag points to Gixen, but I can see your point - most people in such a situation would not check this. Spoofed SSL certificate would not work, as there would be a big warning by every browser out there.
Overall, I don't see encrypting just the password and not the content as a big issue - gmail does it for hundreds of millions of users every day. |
|
| Posted: Wed Dec 12, 2007 1:53 pm Post subject: SSL |
|
| Hi,
On the subject of this FAQ:" It says you use SSL to encrypt eBay user IDs and passwords but when I was logging in, I do not see a padlock symbol. Does this mean my eBay user ID and password are at risk? " The FAQ answer that the login/password are safe because the target when I click on the "log in" button is an SSL session. While it is true that the password will be encrypted in the SSL session, I have no way to trust the site is really gixen. In particular a common attack would be to make a spoof gixen website that looks exactly the same but does still your password when you click the log in now button. The purpose of SSL is not only to encrypt what you send, but also to authenticate what you receive. Granted, many people would also be fooled by a spoofed SSL certificate, but a few paranoid types are carefully checking. |
|