The real problem that https has conspicuously failed to fix

Jeffrey I. Schiller jis at MIT.EDU
Wed Jun 11 13:10:21 PDT 2003 

Folks, this isn't an https (or even http) problem. It is a tough user 
interface issue. Note: The form posting goes to www.pos2life.biz, which 
doesn't remotely look like paypal.com!

To make matters worse, there are plenty of businesses that send you leg 
imitate email that comes from a "random" looking place. Just today I 
received one from MIT's Alumni Association, but the actual source was 
something like m0.email-foobar.com (or something). Obviously the Alumni 
Association outsources the sending of the mail to some third party 
company. So even if we came up with some fancy was of saying "This form 
doesn't post to the same place this page came from [never mind that the 
original of an e-mail form is ill defined]" won't help.

I also received this scam mail. There were only two hints of badness 
(besides the obvious request for personal info that paypal shouldn't 
need) one was the form posting and the other was the "Received-by" line 
which my mail system put on the message which showed its original at a 
suspicious place (I believe in Japan, but I may have remembered wrong, 
it didn't look right at the time).

This is a social problem. Technical measures can help, but won't solve 
it, I am afraid.

			-Jeff

Roy M.Silvernail wrote:
> On Sunday 08 June 2003 06:11 pm, martin f krafft wrote:
> 
>>also sprach James A. Donald <jamesd at echeque.com> [2003.06.08.2243 +0200]:
>>
>>>(When you hit the submit button, guess what happens)
>>
>>How many people actually read dialog boxes before hitting Yes or OK?
> 
> 
> It's slightly more subtle.  The action tag of a form submission isn't usually 
> visible to the user like links are.  In the scam copy I received, all the 
> links save one pointed to legitimate PayPal documents.  Only the <form 
> action= gave it away, and you have to view source to see that.
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 252 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks-legacy/attachments/20030611/9ef07322/attachment.sig>

More information about the cypherpunks-legacy mailing list