-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi RJ LeVeque,
You make me curious -- a security hole that we all missed? > PAYMENT_URL= <----- COMMON ERROR IS THE DESTINATION. Extreme security > breach. You are not particularly clear. Could you specify an example, perferrably tested on your own system? With the technical details that make the hole open to exploitation? I doubt if the problem you see will survive such a test. When you stay abstract the problems seem apperant, but as soon as you work it out you see what's done against it. Happened to me on countless occasions. You do realise that the payment URL only accepts signed statements that are based on a secret stored in the receiving account, right? Of course, it would be better to use pubkey crypto for this, but this is good enough in practice. > Any common webmaster using the default SCI is vulnerable AND will lose money > on lost purchases. Provide technical details and stick to facts please -- the extrapolation is trivial, unlike realising what precisely goes wrong. BTW, a widely appreciated approach to security holes is to test them yourself, send the exploit details in encrypted email to the system's maintainer, and then hold back before publishing about it, to give e-gold a chance to repair, and merchants to change their implementations. Hope this helps, Cheers, Rick van Rein. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8GyhVVVg0GvW60c0RAqlZAJ9zd9t3QgjnPel+MkKLmJ/KHxz+4wCeOG47 lWKhlTd/mcE7ulP5HPo7FFk= =1hd8 -----END PGP SIGNATURE----- --- You are currently subscribed to e-gold-tech as: archive@jab.org To unsubscribe send a blank email to [EMAIL PROTECTED]
