[unisog] Fraudulent eBay Site

Martin Radford Martin.Radford at bristol.ac.uk
Wed Apr 23 11:30:42 GMT 2003

--On 22 April 2003 20:40 -0400 Dan Riley <dsr at mail.lns.cornell.edu>

> And while I'm ranting--anyone with a signin page, make the form page
> SSL protected.  ebay is a prime example of how to get this *wrong*.
> Go to ebay.com and click signin--the page that goes to *isn't* SSL
> encrypted.  The form action is, but that's too late--the page that
> *presents* the form should be SSL encrypted so customers can check for
> certficate validity *before* submitting the form.  This is *so* basic,
> and so commonly wrong--I'm tempted to say that companies like ebay
> *deserve* whatever liability they get from training their customers to
> fill in forms that can't easily be determined to be "secure" in
> advance of submission.
> I'm starting to foam at the mouth, aren't I?  Ok, I'll stop.  But
> there *really* ought to be a BCP about SSL encrypting any form with
> an encrypted action, so the cert can be checked before submission.
> This is so basic, but so many of the e-tailers (inluding amazon) get
> it *wrong*.  Perhaps because their business depends on the illusion
> that cyberspace is trustworthy?

What would also be nice would be for browser vendors to differentiate
the "submit" buttons on web forms so the user could see if the action
pointed to an https site.  One could imagine the button showing a
locked padlock as well as the word "submit" (or a "tool tip" popup if
one hovered the mouse, etc).  You'd just need to find a way of doing it
that couldn't be spoofed by a malicious web page designer.

Martin Radford  (Martin.Radford at bristol.ac.uk)
Personal Computer Systems Team
Information Systems & Computing
University of Bristol Information Services
PGP keyID:       5D2D92E9
PGP fingerprint: 137E 0277 9D78 7447 71D0 BB3D C20D BB9A 5D2D 92E9

More information about the unisog mailing list