Chapter 31. Are Man-in-the-Middle Attacks a Myth?
About seven years ago, someone I know proved to me that you could get pretty much any software you wanted for free, if it was sold through PayPal. All a bad guy had to do was copy the web page that sold the software and change the price on it. Then, when the bad guy clicked on his own malicious copy, it would go back to PayPal. If the vendor didn’t use a special PayPal system (where PayPal connected to the merchant over SSL to confirm the transaction), then PayPal just trusted that the price was real.
I don’t know about now, but back then nobody really used this system. And if they had, it wouldn’t have made much difference, because unless you were a big cryptography geek, you’d be using the PayPal sample code. And, I noticed that PayPal’s code didn’t show how to secure the SSL connection properly. If you followed PayPal’s lead, it would end up being easy to perform a man-in-the-middle attack on the connection (I’ll give a brief explanation later for those who don’t know the term). I pointed all this out to Max Levchin, founder and (at the time) CTO of PayPal. He didn’t seem to believe it was a real issue, and certainly didn’t think it was important, because none of his merchants seemed to care about security. Citing merchant apathy is a fair response, actually.
And then the original guy who contacted me decided to get the story some press coverage, and a Wired reporter was soon calling me for comment. I told him what I knew, and he ...
Get The Myths of Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
