eBay still not using SSL || kuro5hin.org


	create account \| help/FAQ \| contact \| links \| search \| IRC \| site news

Everything

We need your support: buy an ad | premium membership

eBay still not using SSL

By turmeric in Politics
Wed Jul 23, 2003 at 10:14:59 AM EST
Tags: Freedom (all tags)

eBay still does not use SSL for passwords. Although there is an option to use it during signin, this is largely negated by the fact that you have to continuously re-sign in to perform various commands, the fact that you cannot have SSL be the 'default' login, the fact that most eBay sellers are not techno-knowledgable enough to understand what secure-sign-in is anyways so they wont click the tiny 'secure signin' link, and the fact that the eBay 'change your password' web page not only sends your new password back to them completely unencrypted but also has no option for using SSL to do the change.

Furthermore the various 'eBay helper' services, including companies like bidpay.com, payinfast.com, etc, who do things like 'insert banners' into your auction web pages, may or may not use secure password logins either. They simply don't say what they do with the ebay passsword information you give them.
SSL for those who didnt know stands for 'secure sockets layer' which basically means all the text going under SSL is put into a secret code. The internet is like a gigantic electronic version of postcards where anyone can read what you are sending, and the only way to stop this is to write nonsense code on the postcards and decode it at both ends. But how can they read it, you ask? download a 'packet sniffer' like ethereal. It took me 5 minutes to find my own ebay password. Considering there are dozens of electronic waystations between any internet computer and eBays servers, there is ample opportunity for a hacker to listen in to what is going on.
At first glance this doesn't seem to translate into money. But via something called 'account hijacking' a hacker could turn a quick buck rather easily.
One way is to sell items you dont have using a 'good seller's username and password. Everyone thinks it is legit from the feedback profile so they send you the wire-transfer or money order, a method which cannot be refunded, and you never see them again.
Another way is to steal a buyers account. Then you can go around finding sellers who take credit cards, and then pay them and then claim the article never arrived. Then do a 'chargeback' with the credit card and get your money back, and keep the item.
These and many other scams are listed in detail on the ebay community web boards particularly 'trust and safety' and 'international'.
On the other hand, eBay does a lot to try to stop fraud. They have hired a gaggle of people to sit around and answer 'live help' requests. They have specialized feedback web forms to report fraud. They own paypal, which has a 'seller protection plan' and tries to work with law enforcement and other agencies.
However, eBay does not seem to think that SSL matters. This has been discussed several times in the 'trust and safety' eBay message board as can be confirmed with a search through it's archives. It has also been the topic of an article on the 'comp.risks' newsgroup.
And yet, when it is brought up most eBayers do not understand the technology. And eBay employees, while posting in many threads, do not post in the threads that mention SSL.
Some people will argue that ssl doesn't matter that much. They might claim most frauds are committed by faking emails and sending users to fake 'enter your password' websites. However I have not seen anyone show me any proof of this. And considering that most other commerce sites, such as banks, paypal.com, moneybookers.com, and even non-commerce sites like hotmail.com, use SSL, it is a bit difficult to believe that it 'doesnt matter'.
So I have been pondering what exactly is going on in the belly of eBay for this SSL thing to go unresolved for months, and years. This problem has been mentioned in the past and nothing has changed. I am going to assume that eBay hires a lot of computer people. Some of these know what SSL is and understand the importance. I bet some of them are asking the same questions, 'why wont eBay use SSL?'. I guess I have to conclude that eBay management doesn't listen to it's own people. This could be because the place is so damn busy all the time or a hundred other excuses. But that is all they are, excuses.
I think SSL is like a canary in the mine for ebay. If they can't fix this problem, what other problems are they letting slide, distracted by the deluge of 'more important' work they think they have to do?
If eBay crashes and burns, hopefully another auction site can rise up and do the good things they are doing, but with a 'fresh start' and without the distractions and turmoil that keep them from ignoring the basics. I would happily switch in a second if I could find such a place.

Sponsors

Managed Hosting
VoxCAST Content Delivery
Raw Infrastructure

eBay still not using SSL | 128 comments (78 topical, 50 editorial, 0 hidden)

What makes you think this is a problem? (4.66 / 3) (#12)
by 87C751 on Mon Jul 21, 2003 at 02:05:17 PM EST

Remember, we're talking about eBay, the company that offers to turn over information on any of their users to J. Random Law Enforcer without even a subpoena. The lack of SSL isn't a bug, it's a feature!

My ranting place.

Well, i think we can all agree about (2.00 / 7) (#16)
by rmg on Mon Jul 21, 2003 at 04:23:52 PM EST

what an important issue this is. I do most of my computer type shopping at ebay, and I find the idea that my account could be stolen so easily by an unethical hacker a bit disturbing. An article like this in a forum such as ours may well affect some positive change in this situation.

This is really an important step in the right direction. this is what democratic media is all about. Giving the people, the consumers, the say in the dissemination and production of information and opinion they have been denied in the past. This goes beyond the simple shout outs we see in the local newspaper's letters to the editors page. This is a much larger responsibility, with a much broader cultural scope.

I think the author appropriately seizes this responsibility. That is why I will be voting "+1 FP" on this article. It deserves the audience of our community and the internet community at large via syndication and the all-seeing eye of google.

_____ intellectual tiddlywinks

shut up by turmeric, 07/21/2003 11:45:50 PM EST (3.50 / 8)

SSL may not be a key factor in preventing fraud (4.75 / 4) (#19)
by X3nocide on Mon Jul 21, 2003 at 05:40:06 PM EST

But it sure as hell is part of any plan committed to building trust in security. Part if the problem may be that eBay mostly sees its users in a positive light, that given a choice between nice and mean, people will select nice over mean. To an extent, this is true. But it only takes one bad experience to turn a user away from them.

I suspect that there are a few plausible reasons for ebay to neglect SSL: computer efficiency, user accessibility, and user awareness. Encryption schemes do have overhead, and when you're as busy as ebay, that translates into needing more computer capitol. Secondly, user accessibility would be hampered if the user did not have an immediate browser that could support SSL.

The biggest thing is awareness. If you give normal users a choice, they'll take the default; the frauds we wish to prevent will take the option less likely to get themselves caught. So you'd want to build in an infrastructure to let the public know when you've chosen SSL or not. But you'd also have to educate your customers so that they understand that SSL isn't a guarentee against fraud, which would be an uphill battle. Finally, disclosure of SSL versus 'unsecure' connections may irk all sorts of privacy activists, libel lawyers. and other liabilities.

Ebay does some to fraud, but their efforts seem to be focused on mass/automated fraud, which is probably more dangerous to them, anyways. Inclusion of little turing tests to defeat automated new seller registrations probably does a lot to deter the common one shot frauds and the good karma bot network. Its probably in ebay's best interest not to bring attention to the insecurity of the system with something as simple as SSL. Hell, thats probably their best defense: the less you tell the public about your security schemes, the more the general public will believe that you are secure.

I'll let the reader explore the broad horizon of meanings of that last sentence.

pwnguin.net

BS by ph317, 07/22/2003 07:52:49 AM EST (4.50 / 2)

how much of their margins are being eaten by fraud by turmeric, 07/22/2003 10:14:00 AM EST (5.00 / 1)
A little late, but... by toganet, 07/31/2003 11:31:17 AM EST (none / 0)

Amazon.com Auctions (4.00 / 1) (#30)
by feline on Mon Jul 21, 2003 at 10:02:34 PM EST

hopefully another auction site can rise up

Amazon.com has an auction site.

amazon are slimebags by turmeric, 07/21/2003 10:52:29 PM EST (5.00 / 1)

eBay's Half.com by feline, 07/22/2003 01:27:37 AM EST (5.00 / 1)

I liked half.com before eBay bought it. by porkchop_d_clown, 07/22/2003 09:58:03 AM EST (none / 0)

Half.com's "Demise" by feline, 07/22/2003 01:58:35 PM EST (none / 0)

Yeah, they're also laying off several friends by porkchop_d_clown, 07/22/2003 07:19:05 PM EST (none / 0)

That's no evidence by feline, 07/22/2003 11:12:38 PM EST (none / 0)

throw the people in the garbage. keep the machiens by turmeric, 07/23/2003 08:47:32 AM EST (5.00 / 1)

Scrap Dealers by feline, 07/23/2003 01:30:54 PM EST (none / 0)

if nobody makes any originals there are no scraps by turmeric, 07/26/2003 11:21:02 AM EST (none / 0)

thanks for the hookup by turmeric, 07/22/2003 10:09:34 AM EST (none / 0)

Umm (2.71 / 7) (#33)
by igny ignoble on Mon Jul 21, 2003 at 11:23:56 PM EST

You appear to have mistaken this site for the eBay feedback forum.

SSL (5.00 / 2) (#42)
by MSBob on Tue Jul 22, 2003 at 01:22:05 AM EST

The main point of SSL for me is not communication encryption - sniffing packets is actually a rare and impractical type of attack.

What matters with SSL is server authentication. By going through SSL a site must have obtained a valid certificate that confirms that they are who they claim they are. Of course it hinges on the notion that people click the little padlock in their browsers to review the site's certificate. Nobody (except for me) seems to be doing that anymore :(.

I don't mind paying taxes, they buy me civilization.

Quick and easy way by RyoCokey, 07/22/2003 09:57:46 AM EST (none / 0)
ancient greeks by turmeric, 07/22/2003 10:01:52 AM EST (1.00 / 2)

Seneca was a Roman [nt] by skelter, 07/22/2003 05:28:52 PM EST (none / 0)
God grant me the Serenity... by circletimessquare, 07/25/2003 03:33:38 AM EST (none / 0)

P.8 Boad -> board (none / 0) (#44)
by Haelo on Tue Jul 22, 2003 at 01:45:51 AM EST

"This has been discussed several times in the 'trust and safety' ebay message boad as can be confirmed with..."
A.

Sorry. by Haelo, 07/22/2003 01:48:19 AM EST (none / 0)

Packet sniffing (4.85 / 7) (#57)
by jd on Tue Jul 22, 2003 at 10:16:25 AM EST

Although packet sniffing is rare, it's not unknown. Typically, hostile sniffers are placed on the ISP of whoever provides the commercial service. The checks are typically basic - checks for HTTP form replies that include the word "password", or which includes a string in the format of a credit card number.

eBay is certainly subject to hijack accounts, and I know of plenty of people who have had their accounts hijacked. If the password isn't secure, you might as well have the displayed name and login name different, and forget the password entirely. You've the same level of security.

You must also remember that eBay is not a small operation. While I personally dislike ANY site using insecure logins (and shudder every time I log into K5 or /. for that very reason), most small sites aren't worth the effort for someone to crack, unless it's purely as an ego thing.

eBay, or any of the other major online stores, deal in hundreds of millions of dollars. That's a lot of loose change. Since sniffing doesn't involve a direct attack on the store, intrusion detectors won't spot it or stop it. There's no direct link between the sniffer and the intrusion.

The reason I prefer secure logins on all sites is that people typically have a small pool of passwords which they use for a large number of sites. Because of this, password sniffers on a set of insecure sites is going to be as dangerous to users as a single password sniffer on eBay's ISP.

The sniffer operator simply needs to collect the sniffer results, organize them by IP address, then sort then by username (which will also be typically similar or the same on many systems). They can then build a mini cracker dictionary for specific users, which they can use to brute-force entry into a system like eBay.

Sure, this is cruder, in that a really good NIDS package will detect the repeated login attempts (even though it'll be a plausably small pool), and lock out the attacker. This assumes eBay employs NIDS software, though. If they don't, then this'll just look like a careless user. Enough accounts can be broken this way to reap the attacker enough money to make it worth their while.

Remember, they don't need many successes. If you assume that a typical credit card'll have about a thousand or so left on it, then just 50 cracks would reap the attacker the same amount as a typical Software Engineer II, full-time, would earn in a year. Tax free. And it's doubtful it would take a year to get 50 accounts. Allowing time to set the software up, it'd probably still take less than a week to get that.

With the prospect of earning as much in a week as a low-mid range tech earns in a year, with virtually zero possibility of being tracked, you will get people who are tempted. That is a lot of very easy money. What's more, even if you are caught, the infamy would guarantee enough media interest to keep you in luxury for the rest of your life... once the sentance is complete, that is. But even a sentance isn't going to deter people if there's guaranteed fame and fortune at the end.

(Yeah, I know, there are laws about profiting from the results of crimes. Ask a certain Moose about that one. People will profit from whatever other people will buy, and sod the ethics or legality.)

People generally assume sniffers aren't common, largely because it's the brute-force attacks and mass thefts that get the most media attention. Bad assumption. It's like assuming that nobody has ever lifted a fingerprint for the purpose of fooling someone, because it's the car chases that get prime-time TV.

It's apples and oranges. Two very different styles, operating on two very different principles. The first work on the basis that identity theft is generally hard to detect and can be impossible to trace. But it does require a degree of lateral thinking and patience. The latter - brute forcing of any kind - depends on running faster than the other guy. There's no finesse, the risks are a lot higher, but in the short-term, so is the haul.

As someone who has worked in computer security for a long time, I consider the patient, thinking intruder to be the greater threat. Most NIDS will detect a brute-force smash-and-grab type attack, and block all packets from the attacker's subnet. I don't need to concern myself with these attacks, as the software these days is usually good enough to stop them.

Those with patience and intelligence are much more terrifying, as there's no automatic system that can protect against them, if they're good enough. No matter how good your security, they can always bypass it by being that much better.

I do not know of a cost-effective way of stopping a determined-enough attacker who has both patience and intelligence. Recent security thinking has moved in the direction of assuming that such people will break in, and to limit the damage that can be done once a break-in has occured. (Actually, it's not entirely "recent", as the B-class and A-class security models in the Red Book also work from the concept of minimizing damage by a malicious user or a break-in.)

https://www.kuro5hin.org by Xoder, 07/22/2003 11:44:22 AM EST (5.00 / 2)

It does indeed by Rk, 07/22/2003 03:12:50 PM EST (3.00 / 1)

Must be intentional by Cloaked User, 07/22/2003 08:04:01 PM EST (none / 0)

on all the username/ password form fields i build by circletimessquare, 07/25/2003 03:27:10 AM EST (none / 0)

SSL doesn't matter (3.00 / 6) (#59)
by STFUYHBT on Tue Jul 22, 2003 at 12:52:00 PM EST

SSL doesn't matter - it's just a tool used by the Verisign-Netscape complex to force you into consuming their services. Every try to become a CA (Certifying Authority)? You can't! Netscape will not include your certificate in the browser unless you are a mega-evil corporation, which means anyone who tries to visit your website will get a warning, and will not trust you. Verisign knows that nobody actually falls victim to sniffing attacks, so why do they hype SSL so much? Because they have a monopoly on certificates!

-
"Of all the myriad forms of life here, the 'troll-diagnostic' is surely the lowest, yes?" -medham

Oh really... by Hatamoto, 07/22/2003 03:48:45 PM EST (5.00 / 1)

Re: Oh really... by elemental, 07/22/2003 04:42:52 PM EST (5.00 / 2)

ack! by Hatamoto, 07/22/2003 06:11:19 PM EST (none / 0)

Slight change of corporate direction. by ethereal, 07/23/2003 01:11:46 PM EST (5.00 / 1)
GeoTrust by iso, 07/23/2003 03:08:33 PM EST (none / 0)

Workaround (none / 0) (#71)
by R343L on Tue Jul 22, 2003 at 08:55:39 PM EST

You can (according to a recent bugtraq or maybe it was Risks digest post) change your password (using ssl) on half.com and it will propagate to ebay.com.

But yes, it is dumb that ebay hasn't fixed it. It's shown up on Risks several times I think.

Rachael
"Like cheese spread over too much cantelope, the people I spoke with liked their shoes." Ctrl-Alt-Del

i know, i need ssl to buy this: (5.00 / 7) (#72)
by circletimessquare on Tue Jul 22, 2003 at 10:01:40 PM EST

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3619358353&category=2 1099

(safe link)

The tigers of wrath are wiser than the horses of instruction.

sure you can buy turmeric... by rmg, 07/22/2003 11:51:00 PM EST (5.00 / 1)

If you don't understand why you need encryption... (5.00 / 4) (#74)
by MichaelCrawford on Tue Jul 22, 2003 at 10:48:58 PM EST

... please read my article Why You Should Use Encryption.

Your mom should be using encryption. Your kids should be using encryption. Please ask them to read the article too. Most importantly, you should be using encryption.

Computers are powerful enough that encryption ought to be the default for just about any sort of network communication. I think it would be just dandy if we all passed around the hat to buy rusty a powerful enough server that he can serve up Kuro5hin on SSL. I'd pay for a membership if the price went to pay for the extra CPU required to do the encryption.

If you think it would be silly to encrypt stuff that's getting posted openly on the net anyway, consider that having lots of encrypted traffic in the system makes traffic analysis much harder for anyone who might be trying to find the really secret stuff. The worst thing to do is to only use encryption when you have something private to say - the bad guys can tell from the very fact that your message is encrypted that it's something to take interest in.

Personally, I always use SSH to read my email, even though almost all of my email is sent to my hosting service in plaintext. I also use SCP to transfer new web pages to my website. Keeps 'em guessing.

A productive thing to do would be, every time you make a new kernel build for your linux box, pgp the kernel binary with some random password and post it to one of the alt.binaries newsgroups.

Live your fucking life. Sue someone on the Internet. Write a fucking music player. Like the great man Michael David Crawford has shown us all: Hard work, a strong will to stalk, and a few fries short of a happy meal goes a long way. -- bride of spidy

write your own damn article by turmeric, 07/23/2003 12:22:52 AM EST (1.80 / 5)

I'm trying to explain why SSL is important by MichaelCrawford, 07/23/2003 01:12:59 AM EST (4.00 / 1)

i think by turmeric, 07/23/2003 08:45:32 AM EST (3.28 / 7)

That's not why by MichaelCrawford, 07/23/2003 08:49:37 AM EST (none / 0)

Is this a troll? by blackwizard, 07/23/2003 01:03:49 AM EST (1.00 / 1)

Pardon? by MichaelCrawford, 07/23/2003 01:14:36 AM EST (none / 0)

That thar link in his comment by davidmb, 07/23/2003 06:32:42 AM EST (none / 0)

Sometimes I'm not very observant by MichaelCrawford, 07/23/2003 08:47:34 AM EST (none / 0)

you are going a bit far by asad, 07/23/2003 12:21:05 PM EST (none / 0)

Why you should transmit random encrypted shit by MichaelCrawford, 07/23/2003 01:31:14 PM EST (none / 0)

But that's... spam! by Lagged2Death, 07/23/2003 02:45:06 PM EST (none / 0)
ok some proof then by asad, 07/23/2003 06:26:01 PM EST (none / 0)

hey, cool, SSL! (1.13 / 15) (#91)
by crazycanuck on Wed Jul 23, 2003 at 10:56:31 AM EST

I love SSL!

I use SSL all the time. I use it when I'm browsing the web, chatting, brushing my teeth, doing my groceries... I even use SSL when I'm playing with my cat.

But enough about me. Maybe you can help me.

you see, i have a friend who recently installed gentoo sco/linux on his home PC. we was switching over from windows. anyway, he has this usb cable modem that does seem to work right under sco/linux. maybe you can help !!! my friend loves his cable modem very much and he is very sad about it. yesterday i thought i saw him crying! but he said he had something in his eye... anyway, it is very sad to see him without his cable modem. i would be very very happy if you will fix it for him !!! he loves his cable modem.

plz right back k thx !!!

Got any supporting evidence? (none / 0) (#93)
by Mr.Surly on Wed Jul 23, 2003 at 12:25:05 PM EST

Your argument seems to be "Use SSL, or someone bad can sniff your info and use your good name on eBay."

I'd say confidence scams are far more likely than packet sniffing. Packet sniffing is difficult to pull off unless you work for an upstream provider (ISP/backbone), or the company in question (eBay). The fact that you sniffed your own network doesn't really mean much. I can "steal" my own car, but hey, I have the keys.

Which leads me to (emphasis mine):

Some people will argue that ssl doesn't matter that much. They might claim most frauds are committed by faking emails and sending users to fake 'enter your password' websites. However I have not seen anyone show me any proof of this. ...

Do you have any evidence of account hijacking that could have been prevented with the use of SSL, or any other encryption? Seems you're saying "they don't have any proof." Well, neither do you.

Generally, I think encryption is a good thing. Hopefully, it keeps the bad guys away from your info. However, encryption is a not a panacea.

ethernet hubs by turmeric, 07/23/2003 12:29:26 PM EST (5.00 / 2)

Doubt it by CaptainSuperBoy, 07/23/2003 12:49:14 PM EST (none / 0)
Nothing? by Mr.Surly, 07/23/2003 01:08:37 PM EST (none / 0)

no evidence by turmeric, 07/26/2003 11:19:13 AM EST (none / 0)

not just hubs by needless, 07/23/2003 03:48:39 PM EST (4.50 / 2)

christ by turmeric, 07/26/2003 11:15:51 AM EST (none / 0)

Weak Link by SEWilco, 07/23/2003 05:45:13 PM EST (none / 0)

Should have posted this here instead... (4.00 / 2) (#101)
by skyknight on Wed Jul 23, 2003 at 02:50:49 PM EST

I originally posted this comment in turmeric's diary, not having noticed this story. Anyway...

Have you noticed that when you login to K5 at http://www.kuro5hin.org, the action field of the form is just "/"? You don't get momentarily redirected to an ssl connection as I had originally assumed, but rather your username and password get sent in the clear for anyone to read. Better still... Even after you've authenticated and been issued a cookie, your cookie is sent in the clear with every request, so (assuming your IP is part of the cookie info) anyone that has their connections routed through the same gateway can hijack your cookie and spoof you. At least, I certainly hope your IP is part of it, otherwise anybody, regardless of their location on the net, could sniff your cookie data and subsequently spoof you. Hurray!

Is the security here as bad as I am now realizing? Someone please tell me that I am completely wrong, because I don't want this to be true.

It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI

Big difference between... by lb008d, 07/24/2003 10:28:06 AM EST (none / 0)
SSL by pinkcress, 07/24/2003 02:20:18 PM EST (none / 0)

This is a bit of a kludge... by skyknight, 07/24/2003 03:01:38 PM EST (none / 0)

Send patches [nt] by pinkcress, 07/24/2003 09:31:04 PM EST (none / 0)

More like "send servers" /nt by skyknight, 07/25/2003 11:40:14 AM EST (none / 0)

yeah by mpalczew, 07/25/2003 09:41:56 AM EST (none / 0)

Maybe you don't personally care... by skyknight, 07/25/2003 11:39:19 AM EST (none / 0)

so by mpalczew, 07/27/2003 09:34:37 PM EST (none / 0)

Performance (2.00 / 1) (#103)
by iso on Wed Jul 23, 2003 at 03:11:42 PM EST

You seem to imply that eBay is avoiding SSL purely because they (their employees) are ignorant. That's not the case at all. eBay is avoiding SSL for performance reasons. Encrypting every page going out to a user can be very processor-intensive, and on a site as large as eBay it becomes a significant drain on resources. Generally large sites try to avoid SSL whenever it isn't absolutely required (look at how Hotmail logs you in through SSL/Passport, then forwards you off to a non-SSL page once you're logged in).

While the data in a Hotmail account isn't all the crucial, I agree that auction data is important. eBay obviously doesn't. It's not that they're ignorant, they just don't think all of the information on eBay.com is worth the performance penalty of encrypting.

ok by turmeric, 07/23/2003 09:35:04 PM EST (5.00 / 3)
never assume by chrisken, 07/23/2003 11:18:10 PM EST (none / 0)
Not every page, surely by olethros, 07/25/2003 08:59:37 AM EST (none / 0)

I don't get it (none / 0) (#105)
by Sloppy on Wed Jul 23, 2003 at 04:57:35 PM EST

This is a turmeric piece, isn't it? What's the gag?
"RSA, 2048, seeks sexy young entropic lover, for several clock cycles of prime passion..."

Obligatory comment (none / 0) (#125)
by Herring on Sat Jul 26, 2003 at 12:07:24 PM EST

Looks like SSL is the least of their security problems.

Say lol what again motherfucker, say lol what again, I dare you, no I double dare you

Passport Login on Ebay? (none / 0) (#127)
by malfunct on Tue Jul 29, 2003 at 11:05:29 AM EST

I am fairly certain that the passport login on ebay is secured with SSL (since its not run by ebay but instead microsoft). I don't know that its the fix that the author wants, but it seems if you want to be fairly secure on ebay you can create a new passport account (don't tie it to e-mail or personal info if you don't want to, passport recommends people have multiple accounts for different uses) and hook it up to ebay and then authenticate with that. It will at least protect your logon name and password.

That said the passport login through ebay is slightly clunky and doesn't always work smoothly. It also doesn't excuse the fact that ebay doesn't provide its own secure login. I just mentioned it because it might be a short term workaround for the security problem.

eBay still not using SSL | 128 comments (78 topical, 50 editorial, 0 hidden)

All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.