[austinpilot]

One of the authors here... The paper is accompanied by a FAQ, which among other things explains the impact on specific software:

https://docs.google.com/document/pub?id=1roBIeSJsYq3Ntpf6N0P...

For example, broken SSL in Amazon FPS allows a MITM attacker to forge instant payment notifications and defraud merchants who use vulnerable SDKs. This is a real vulnerability, acknowledged by Amazon.

[moxie]

Oh thanks, I think that FAQ is exactly what I was looking for. I realize we might not be your target audience, but it seems like it'd be worth including those impact analysis statements in the paper itself, since they're short and do really help to clarify the situation.

I'll have to take a second look at the instant payment notification forgery. Last I used FPS, I remember the transaction notifications being signed. Maybe "instant payments" are a new thing.

[scott_s]

Can you address his specific point about TextSecure?

[zx2c4]

please would ya?