back to article Privacy concerns over gaps in eBay crypto

eBay uses HTTPS on its most critical pages, such as those where payment or address information is entered, but a lack of encryption on several sensitive pages still poses a concern for the privacy conscious. Many pages on the site, which require user input or contain their personal info, are not HTTPS encrypted, according to …

  1. Steve Knox

    Understands?

    Complaints have raised alleging that eBay fails to meet current data protection regulations. El Reg understands these complaints are still under consideration and should therefore be treated as unconfirmed.

    El Reg is losing its edge. Since when has it been understanding w/r/t companies like eBay?

    1. Anonymous Coward
      Anonymous Coward

      Re: Understands?

      Perhaps they feel sorry for yesteryear's online tat bazaar? The only use for ebay is to be a seller, clean out your basement or attic of crap, and sell it off making a fat profit on shipping a $1 item for $8 or more. ebay is the leader in shipping fraud perpetrated by their shady sellers. These creeps are even on Amazon. Shipping wankers! When I ship an item, the USPS shipping prices are dirt cheap. Someone is charging for getting off the couch and driving down to the post office in their pajamas. I can purchase US$200 of crap from Amazon and their normal speed shipping is only about US$9. It is known.

  2. Anonymous Coward
    Anonymous Coward

    oi ebay

    http://m.ebay.co.uk/itm/Strongest-Encryption-SSL-certificate-for-1-domain-name-for-3-years-/112248803774

    Looks legit. You're letting him sell this, why not buy one?

  3. Anonymous Coward
    Anonymous Coward

    > El Reg is losing its edge. Since when has it been understanding w/r/t companies like eBay?

    It's only been twenty days since theregister.co.uk started to be available over HTTPS.

    1. Pliny the Whiner

      "It's only been twenty days since theregister.co.uk started to be available over HTTPS."

      Well, yes, and it's bitchy of you to point that out.

    2. Martin Summers Silver badge

      Oh no! Someone could have intercepted my article reading habits!

      1. Dan 55 Silver badge

        If you're not bothered then it doesn't affect you. If you are then you're going to be happy that El Reg is now available over HTTPS. With so much bulk interception going on, what's the downside?

        1. Anonymous Coward
          Anonymous Coward

          > With so much bulk interception going on, what's the downside?

          There is no downside. Just pointing out that HTTPS is not yet as ubiquitous as you would expect it to be.

          Plus, from the information provided in the article, the nature of the data that could be intercepted over Ebay or over The Register is not radically different: no financial data, but both could be used to build a profile of the person(s) behind the account. In Ebay's case I believe this included some personal data (e.g., name), while in The Register's it included account login details (making it trivial to profile a user).

          That is why I think it's fair on The Register's side not to give in to gratuitous sensationalism and knock Ebay down too much about it.

          Mind, there is also the issue of HTTPS not being nearly as efficient a security measure as it used to be ten years ago, but that's another subject.

  4. Ben Tasker

    It said secondary controls it had in place would help protect users in the meantime.

    Bollocks do they.

    It doesn't matter what you've got running on the backend, if you're sending stuff in the clear it's fair game to anyone in the position to intercept it.

    They're essentially claiming that because they protect the data at rest via access controls etc, it's automagically also protected in flight.

    Their access controls might stop you from misusing the obtained data against ebay's systems, but that doesn't help if the information gleaned is then used for spear phishing, or against other services.

    But then... it's Ebay. Is anyone surprised?

  5. Anonymous Coward
    Anonymous Coward

    Even less reason to restart business there

    I went back to buying from Amazon and/or direct, because ebay was too stupid to block adding or to identify items in a basket which blocked credit card payment, which repeatedly pissed me off! In some cases I wouldn't even have cared if there was an included card surcharge for some items.

    This latest security fail gives me even less reason to restart trade via ebay, because it is completely unacceptable, on any site, to list personal details or baskets on unencrypted pages, because of ID theft risk and the risk of request/response monitoring by other parties.

    HTTP easily allows Man-in-the-Middle spying and injection of modified or weaponised requests/responses, and offers no protection against DNS spoofing, so HTTP must be replaced by HTTPS on all internet sites and some more local sites too, especially anything with a login!

  6. Martin Summers Silver badge

    "A VPN can mitigate the risks that arise from the lack of HTTPS on these pages."

    Erm, how exactly? Is the VPN point magically encrypted all the way to ebay's servers?

    1. batfastad

      Upvote.

      Was going to question this myself. A VPN would only be any good if it was straight into eBay's networks.

    2. Martin Summers Silver badge

      I really should proofread better. I meant to put VPN endpoint.

    3. Anonymous Coward
      Anonymous Coward

      @Martin Sumners

      Well, no. Magic isn't real.

  7. markrichards

    There is breach of regulation and then there is fraud

    Thanks The Register and John for the article on this.

    Great to see The Register is https.

    The biggest concern I had with Ebay is not that they're not up to the times with the best or even required security technology: in this industry we all make mistakes and are catching up at different rates.

    My concern is with their attitude and the result of it that it seems they feel it is okay to lie about what they offer to people who are parting with their privacy and their money.

    Ebay demands sellers don't lie and yet it does.

  8. batfastad
    FAIL

    See icon ----------------------------------------------------------------->

    Have been wondering this myself for 10+ years.

    Even though there is little personal information on the non-HTTPS eBay pages there is still identifable information in the form of (many) session IDs.

    Whenever you've got a session with a user the session IDs should only be transmitted over HTTPS. Basic.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like