Posted by Gordon Burditt on 03/13/07 03:02

>a) user types their username and password into a browser, and clicks
>submit over an SSL connection

This protects the username and password. And, at this stage, the
session cookie.

>b) user then is brought to a non-ssl connection, where they click
>something like "edit password"

The session cookie is exposed here, unless the cookie was a https-only
cookie. But as I recall, Ebay uses your session info for lots of
stuff (like "My Ebay") on non-secure pages, so I don't think it was
a https-only cookie.

>c) user is brought to a "change password" page, which is an SSL
>connection
>
>it seems to me that in step b, a hacker could catch the session,
>correct?

Only if he is in a position to sniff your traffic, which isn't real
easy to do unless he's an employee of some company along the way:
your ISP, Ebay, a phone company, etc.

>so are we to assume that ebay is doing something in addition
>to sessions, such as IP recording, etc.?

Not necessarily. They may simply *NOT CARE*. Why, for example,
do banks not require DNA tests to use a credit card? How about a
photo id? Why do they not require a PIN to use a credit card? How
about a signature even if the transaction is under $25? Because
the losses stopped don't make up for the costs and lost business
due to the hassle.

[Back to original message]