eBay

ydj-stev · ‎07-13-2018

First of all, I have to say I'm frustrated and concerned that there's no contact option for technical issues, and not even anything under the "security" sections, for this type of thing. Though based on my previous experiences with eBay, it doesn't surprise me, as they/you continually show a lack of regard for user security and privacy.

The signin.ebay.com page is unsecure, and the only way I could even access it was by disabling the security.ssl.require_safe_negotiation pref in my browser. This is something I normally wouldn't bother doing; the only reason I even bothered to continue was because I promised a friend I'd get something he needs, but, until this is fixed, I won't be doing it again. It's also something most people will be unaware of, since that setting is defaulted to off, though I think it should default to true, which will force companies that are lax on security, like eBay, to improve, and most people won't notice the very subtle "warning" the browser provides with it off.

Here's the error with it on:

-----
Secure Connection Failed

An error occurred during a connection to signin.ebay.com. Peer attempted old style (potentially vulnerable) handshake. Error code: SSL_ERROR_UNSAFE_NEGOTIATION
-----

And here's the details of the unsecure connection once disabling the setting to allow the page to load:

-----
Broken Encryption (TLS_RSA_WITH_AES_128_CBC_SHA, 128 bit keys, TLS 1.2)

Your connection to this website uses weak encryption and is not private. Other people can view your information or modify the website’s behavior.

Information sent over the Internet without encryption can be seen by other people while it is in transit.
-----

In truth, this probably isn't an "unsecure" connection, but it's not very strong security either. Unless eBay truly doesn't care at all about their users, I'd highly recommend they update it ASAP. Also, while I'm not a fan of using forums in place of a true contact method, at least this will put the issue in the public eye, so hopefully people will be more aware and so eBay will have a little harder time ignoring it, which is what they do with issues brought to them privately.

ydj-stev · ‎07-13-2018

Update: my.ebay.com (and possibly others) have the same issue.

eburtonlab · ‎07-13-2018

I didn't see any other responses, but I guess most folks are preoccupied with the new search bug.

My login looks normal on this end; no obvious errors or warnings.

Browser security is not really my thing, so apologies if this is stuff you have already thought of or tried.

Anything special about your setup? Running an old browser? Are you going through the main eBay page, or are you using an old bookmark? Do you have the same authentication problems if you use a different browser?

I did see a post recently that made a reference to paypal requiring at least TLS 1.1 starting this month, I wonder if that might be related to your issue, particularly if you are using an older browser:

https://community.ebay.com/t5/Technical-Issues/Updating-Browser-Requirement/m-p/28718218/highlight/t...

Just a data point. Hope it helps. Good luck.

ydj-stev · ‎07-13-2018

Thanks for the reply and trying to help, but it's not an issue of getting it to work. I know exactly how to make it work: by reducing the security threshold of the browser. By default, the preference I mentioned is disabled, because with it enabled sites that aren't properly secure, like eBay, won't work, and it would cause too much confusion and frustration with people not being able to access those sites and not knowing why. I enable it to increase the security of the browser, and I know that all I have to do is disable it to get the site to work. The problem is, that shouldn't be necessary. I do a lot of web surfing, visit probably dozens, if not 100+ different sites, per month (per week even sometimes), and eBay is probably the only one I've had an issue with in the past few months since enabling the setting. I don't know what exactly is wrong with their encryption, though I would guess it's the use of 128-bit AES, which is not considered secure anymore, and a big site like eBay should know that and be well ahead of the curve, not behind it like they are. It's nothing to do with TLS. They use TLS 1.2, which is the most current protocol, and I limit my browser to 1.1+, though will probably limit it to 1.2 after a while (by default, most browsers still allow 1.0 even, despite it being quite unsecure, again to limit breakage). And I'm using an up-to-date, mainstream browser (Firefox) though, again, I know that's not the issue. If you use Firefox, you can see for yourself by enabling the preference I mentioned. The reason you don't experience any problems is because, as I said, browsers are by default not locked down as much as they could be, to limit breakage for the majority of people that would just complain about it and switch to a different browser with "weaker" settings.

I just wanted to bring it to their attention, and their technical staff can figure out the exact issue and fix it, assuming, again, that they even care. But it's irritating that even just to read a reply here, I have to open the browser's configuration, change the setting, reload the page, then change the setting back when I'm done in order to maintain the higher security for my normal browsing. So hopefully my pointing it out to them will give them the kick they need to update their encryption to meet current "standards" (as I said before, it may not be "unsecure," it's just not very secure; like having a lock on the doorknob but not installing a deadbolt, even though there's a pile of money inside in plain view from outside). And I probably wouldn't be so upset about it if they didn't have a blatant "don't care" attitude about users (based on my previous experience with them, which ended with me closing my account and opening a new one because they weren't doing anything) and the lack of any way to contact them about it.