![]() |
|
|
On 23 July 2009 I found an amazing mail message. It had arrived a couple of days previously, but landed in my spam folder:
This is absolutely unbelievable. The remainder of the headers make it clear that this is a genuine message from eBay, though the content itself isn't so sure: later on I find the text:
What I discern from this is:
eBay's own messages are inconsistent, untidy and self-contradictory.
They look like spam to SpamAssassin, and I need to fish them out first. This one slipped through because the headers were slightly different.
eBay didn't go to the trouble of identifying the email. Where's the Message-ID? Did I send a message to otherebayname? To be sure, I'd have to go back and check.
After checking, no, I didn't. The eBay member otherebayname has an address something like s04-6sm69p5ycw@members.ebay.com.au, to whom I did send a message. I could only find this because I kept the original query.
The response was, of course, not encrypted. It was digitally signed.
So, eBay considers signing your messages to be a security risk—maybe. Maybe it was somebody else. But then, that's typical of eBay. Looking for somebody to contact, I found a link on http://pages.ebay.com.au/securitycentre/index.html:
Find out who to contact when you need help.
But the link is not only incorrect, the redirection takes 10 seconds, demonstrating the breakage, and it takes me back to the main contact page.
eBay has been round for over 10 years. Have they still not learnt anything about security? To quote a discussion on IRC:
Greg's home page | Greg's diary | Greg's photos | Copyright |