title graphics

Blog: Open letter to eBay


This is a (pending) story which happened recently with the German eBay customer service.

Dear eBay,

the way you present the login window under certain circumstances is bad practise, I often get long URLs (this one is 320 chars) like 

https://signin.ebay.de/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=77&pageType=1883&pa1=&i1=&bshowgif=&UsingSSL=0&ru=http%3A%2F%2Fmy.ebay.de%2Fws%2FeBayISAPI.dll%3FMyeBay&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor=1&fromwl=

There are two points to this.

First Usability: A normal user is supossed to see a clearly recognisable URL in the location bar in the browser. In the age of phising it is always demanded from him/her to check whether he/she is connected to the right site. He/She cannot do that if the URL is 320 chars long. You just overstrain normal users here.

Secondly Security: Even I as a person working more than ten years in professional IT security always get confused whether this is the site I really want to deliver my credentials to. E.g. a "@"-sign — not neccessarily ASCII encoded — somewhere in the non-visible part of location bar of my browser would render the visible first — i.e. leading — part as a userinfo component [1,2,3]. This is known as a semantic attack since more than six years and also used by phishers since then. The leading "https" doesn't give this long URL not neccessarily/obviously something like a blessing.

Please let me know if and when you intend to fix this. (Dirk Wetter, 12/12/2007)


[1]: Richard Siedzik @ GIAC: http://www.giac.org/certified_professionals/practicals/gsec/0650.php
[2]: Bruce Schneier: http://www.schneier.com/crypto-gram-0102.html#7
[3]: RFC 3986, paragraph 7.6, RFC 1738, paragraph 3.1

First Reply (12/13/2007): The first answer was typically due to past experience I had with German eBay customer service: It looks like the person replying had not understand the content of the request. With copy-and-pasted paragraphs I was told to write this e-mail from a valid eBay-registered e-mail address.
 I replied that security problems should not be a matter whether one has an eBay account or not. Please escalate to management.

Second Reply (12/14/2007): What came now stunned me. First I was told to not send my concerns as an attachement since the filter eBay customer service uses strips attachements off. So far so good, but I didn't attach my concern as an attachment, it was inline text. I was wondering now for the second time how cursory eBay's customer service reads e-mails. The attachments in question were a cryptographic signature and a vcard.
  Secondly: I got two e-mails asking for feedback on the quality of the reply. More precisely: The e-mails were multipart, first part was barely readable text/plain-encoded (this is exactly how a plain-text mailreader displays it, IDs modified): 

[..]
Hallo eBay-Mitglied,

<br>Wir moechten Sie daran erinnern, dass Sie nur noch zwei Tage unseren F
ragebogen zur Kundenzufriedenheit ausfuellen koennen. Indem Sie dieses
tun, unterstuetzen Sie unsere Bemuehungen, unseren Service stetig zu
verbessern. Dafuer danken wir Ihnen schon jetzt sehr
herzlich.<br><br>Klicken Sie einfach auf den folgenden Link, um zum
Fragebogen zu kommen:<br><br><a href="http://surveys.echosurvey.com/ebayeu/
survey.taf?survey_id=3414&user_id=9BBF11D2-7043-455F-8846-EE8D63FC1F48">htt
p://surveys.echosurvey.com/ebayeu/survey.taf?survey_id=3414&user_id=9BBF11D
2-7043-455F-8846-EE8D63FC1F48</a><br><br>Falls Sie dadurch nicht direkt
zur Webseite gebracht werden, kopieren Sie bitte den gesamten Link und
fuegen ihn im Adressfeld Ihres Browsers ein.<br><br&
[..]

The second part was text/html encoded including remote pictures.
 So again, this is where usabilty and privacy and security of eBay could do much better.


Discuss this article  |   Permalink, Comments [0]   |   del.icio.us   |   digg this

Discussions