Subscribe to HTTPS/SSL 3 post(s), 2 voice(s)

Avatar (SF) Mark 2 post(s)

Why does jbidwatcher not use HTTPS for transport of username/password to the ebay site?


Avatar Morgan Schweers Administrator 1,204 post(s)

Mainly because Java doesn’t support the https transport until around 1.4.1. I have a lot of users still using 1.3.x, and a few using 1.2.2. I try to preserve backwards compatibility as best as I can.

Now, the last time I looked into this was late 2002, and eBay’s https support was abysmal. It was just for the login, and then they basically spit back an encoded string in the non-encrypted sessions which was completely replayable. Bidding, My eBay, watching, etc., didn’t use https pages, so the data was sent in the cookies and the URLs. You can read my semi-rant on the topic here:

I haven’t tried since then to see if things have changed. I imagine they have, and I’d have to see if it’s enough to fully support https.

The other note is that while at some point I’d like to be able to say that Java 1.4.1 or later is required, I can’t yet. This potentially means using Reflection for figuring out whether the JRE supports https or not, and stuff like that. I’ve tried hard to keep version dependencies out of JBidwatcher. It’s not 100% possible, but I do try.

— Morgan Schweers, CyberFOX!

Avatar (SF) Mark 2 post(s)


Thanks for the reply. I didn’t realize how insecure ebay is/was being. I guess that I will just have to make sure that my enay password is different from any other password I use. Even just encrypting the login process would be nice though. BTW, why are some users forced into using old JRE’s? And are you looking for any help with this project?