eBay's lack of understanding of security concepts

eBay: Digital signatures encourage identity theft

On 23 July 2009 I found an amazing mail message. It had arrived a couple of days previously, but landed in my spam folder:

From failurenotice@members.ebay.com Mon Jul 20 10:15:27 2009 Return-Path: <failurenotice@members.ebay.com> X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on dereel.lemis.com X-Spam-Level: *** X-Spam-Status: No, score=3.1 required=3.0 tests=BAYES_80,DKIM_SIGNED, DKIM_VERIFIED,HTML_MESSAGE autolearn=no version=3.2.5 ----------------------------------------------------------------- eBay sent this message to Greg Lehey (ebayname). Your registered name is included to show this message originated from eBay. Learn more at http://pages.ebay.com/help/confidence/name-userid-emails.html ----------------------------------------------------------------- ----------------------------------------------------------------- There was a problem with your message ----------------------------------------------------------------- Dear ebayname, Because of security concerns, eBay did not send your recent email message to otherebayname. We blocked this message because it was sent in an encrypted format. We don't allow encrypted emails so we can better protect all of our members from identity theft and unwanted email. Please send your message again without encryption. Thank you for your understanding, and thank you for helping to keep eBay members safe.

This is absolutely unbelievable. The remainder of the headers make it clear that this is a genuine message from eBay, though the content itself isn't so sure: later on I find the text:

Another eBay member sent this email to ebayname@lemis.com through the eBay platform. eBay takes no liability for the sending of this email or its content

What I discern from this is:

eBay's own messages are inconsistent, untidy and self-contradictory.
They look like spam to SpamAssassin, and I need to fish them out first. This one slipped through because the headers were slightly different.
eBay didn't go to the trouble of identifying the email. Where's the Message-ID? Did I send a message to otherebayname? To be sure, I'd have to go back and check.
After checking, no, I didn't. The eBay member otherebayname has an address something like s04-6sm69p5ycw@members.ebay.com.au, to whom I did send a message. I could only find this because I kept the original query.
The response was, of course, not encrypted. It was digitally signed.

So, eBay considers signing your messages to be a security risk—maybe. Maybe it was somebody else. But then, that's typical of eBay. Looking for somebody to contact, I found a link on http://pages.ebay.com.au/securitycentre/index.html:

Find out who to contact when you need help.

But the link is not only incorrect, the redirection takes 10 seconds, demonstrating the breakage, and it takes me back to the main contact page.

eBay has been round for over 10 years. Have they still not learnt anything about security? To quote a discussion on IRC:

<callum> Wow - they are protecting members by forcing them to use plain text email. <peter3G> Without digital signatures. <callum> Yeah, I can see how that will stamp out identity theft.