Blog: Open letter to eBayThis is a (pending) story which happened recently with the German eBay customer service. Dear eBay, the way you present the login window under certain circumstances is bad practise, I often get long URLs (this one is 320 chars) like https://signin.ebay.de/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=77&pageType=1883&pa1=&i1=&bshowgif=&UsingSSL=0&ru=http%3A%2F%2Fmy.ebay.de%2Fws%2FeBayISAPI.dll%3FMyeBay&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor=1&fromwl= There are two points to this. First Usability: A normal user is supossed to see a clearly recognisable URL in the location bar in the browser. In the age of phising it is always demanded from him/her to check whether he/she is connected to the right site. He/She cannot do that if the URL is 320 chars long. You just overstrain normal users here. Secondly Security: Even I as a person working more than ten years in professional IT security always get confused whether this is the site I really want to deliver my credentials to. E.g. a "@"-sign — not neccessarily ASCII encoded — somewhere in the non-visible part of location bar of my browser would render the visible first — i.e. leading — part as a userinfo component [1,2,3]. This is known as a semantic attack since more than six years and also used by phishers since then. The leading "https" doesn't give this long URL not neccessarily/obviously something like a blessing. Please let me know if and when you intend to fix this. (Dirk Wetter, 12/12/2007) [1]: Richard Siedzik @ GIAC: http://www.giac.org/certified_professionals/practicals/gsec/0650.php [2]: Bruce Schneier: http://www.schneier.com/crypto-gram-0102.html#7 [3]: RFC 3986, paragraph 7.6, RFC 1738, paragraph 3.1
First Reply (12/13/2007): The first answer was typically
due to past experience I had with German eBay customer service: It looks like the
person replying had not understand the content of the request. With copy-and-pasted
paragraphs I was told to write this e-mail from a valid eBay-registered e-mail
address.
Second Reply (12/14/2007): What came now stunned me. First I was
told to not send my concerns as an attachement since the filter eBay customer
service uses strips attachements off. So far so good, but I didn't attach my
concern as an attachment, it was inline text. I was wondering now for the second time how cursory eBay's customer service reads
e-mails. The attachments in question were a cryptographic signature and a vcard.
[..] Hallo eBay-Mitglied, <br>Wir moechten Sie daran erinnern, dass Sie nur noch zwei Tage unseren F ragebogen zur Kundenzufriedenheit ausfuellen koennen. Indem Sie dieses tun, unterstuetzen Sie unsere Bemuehungen, unseren Service stetig zu verbessern. Dafuer danken wir Ihnen schon jetzt sehr herzlich.<br><br>Klicken Sie einfach auf den folgenden Link, um zum Fragebogen zu kommen:<br><br><a href="http://surveys.echosurvey.com/ebayeu/ survey.taf?survey_id=3414&user_id=9BBF11D2-7043-455F-8846-EE8D63FC1F48">htt p://surveys.echosurvey.com/ebayeu/survey.taf?survey_id=3414&user_id=9BBF11D 2-7043-455F-8846-EE8D63FC1F48</a><br><br>Falls Sie dadurch nicht direkt zur Webseite gebracht werden, kopieren Sie bitte den gesamten Link und fuegen ihn im Adressfeld Ihres Browsers ein.<br><br& [..]
The second part was text/html encoded including remote pictures. Discuss this article | Permalink, Comments [0] | del.icio.us | digg this Discussions |