Blog: Open letter to eBay
This is a (pending) story which happened recently with the German eBay customer service.
the way you present the login window under certain circumstances is bad practise, I often get long URLs (this one is 320 chars) like
There are two points to this.
First Usability: A normal user is supossed to see a clearly recognisable URL in the location bar in the browser. In the age of phising it is always demanded from him/her to check whether he/she is connected to the right site. He/She cannot do that if the URL is 320 chars long. You just overstrain normal users here.
Secondly Security: Even I as a person working more than ten years in professional IT security always get confused whether this is the site I really want to deliver my credentials to. E.g. a "@"-sign — not neccessarily ASCII encoded — somewhere in the non-visible part of location bar of my browser would render the visible first — i.e. leading — part as a userinfo component [1,2,3]. This is known as a semantic attack since more than six years and also used by phishers since then. The leading "https" doesn't give this long URL not neccessarily/obviously something like a blessing.
Please let me know if and when you intend to fix this. (Dirk Wetter, 12/12/2007)
: Richard Siedzik @ GIAC: http://www.giac.org/certified_professionals/practicals/gsec/0650.php
: Bruce Schneier: http://www.schneier.com/crypto-gram-0102.html#7
: RFC 3986, paragraph 7.6, RFC 1738, paragraph 3.1
First Reply (12/13/2007): The first answer was typically
due to past experience I had with German eBay customer service: It looks like the
person replying had not understand the content of the request. With copy-and-pasted
paragraphs I was told to write this e-mail from a valid eBay-registered e-mail
Second Reply (12/14/2007): What came now stunned me. First I was
told to not send my concerns as an attachement since the filter eBay customer
service uses strips attachements off. So far so good, but I didn't attach my
concern as an attachment, it was inline text. I was wondering now for the second time how cursory eBay's customer service reads
e-mails. The attachments in question were a cryptographic signature and a vcard.
[..] Hallo eBay-Mitglied, <br>Wir moechten Sie daran erinnern, dass Sie nur noch zwei Tage unseren F ragebogen zur Kundenzufriedenheit ausfuellen koennen. Indem Sie dieses tun, unterstuetzen Sie unsere Bemuehungen, unseren Service stetig zu verbessern. Dafuer danken wir Ihnen schon jetzt sehr herzlich.<br><br>Klicken Sie einfach auf den folgenden Link, um zum Fragebogen zu kommen:<br><br><a href="http://surveys.echosurvey.com/ebayeu/ survey.taf?survey_id=3414&user_id=9BBF11D2-7043-455F-8846-EE8D63FC1F48">htt p://surveys.echosurvey.com/ebayeu/survey.taf?survey_id=3414&user_id=9BBF11D 2-7043-455F-8846-EE8D63FC1F48</a><br><br>Falls Sie dadurch nicht direkt zur Webseite gebracht werden, kopieren Sie bitte den gesamten Link und fuegen ihn im Adressfeld Ihres Browsers ein.<br><br& [..]
Discuss this article | Permalink, Comments  | del.icio.us | digg this