Re: BUGTRAQ Digest - 18 Feb 2000 to 21 Feb 2000 (#2000-41)

[rfromm () CS BERKELEY EDU (Richard Fromm)]

> From:    Andrew Bennett <abennett () CRUZIO COM>
> Subject: Re: ebay sends passwords in the clear
> MIME-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"; format=flowed
>
> At 11:03 AM 2/16/00 -0800, rfromm@cs.berkeley.eduwrote:
> > I've been trying to get ebay to do something about this for a month and a
> > half, to no avail.  See http://avocado.dhs.org/ebpd/ for details, including an
> > ebay password sniffer.
>
> I noticed that ebay has a link on their Sign In feature page to sign in via
> SSL.  It's not the most obvious link.  An easy way to get there:
>
> - when prompted for your id/password, below the box, click the Sign In link
> - when prompted again for your id/password, below the box, click the 'here'
> link

That's great!  They didn't have it when I posted ebpd.  So at least it looks
like I got something accomplished.

It's certainly not an easy thing to find, though.  Just one example of how
their site could use a bit of redesign.

So most people are still likely to not use it.  My guess is that they're
probably purposefully not publicizing it much at first, so that they can try
it out, get it debugged, measure the effect on the load on the server,
etc. under only limited use.

- Rich