“A serious scripting error has been discovered on PayPal that could enable attackers to create convincing spoof pages that steal users’ authentication credentials,” Dan Goodin reports for The Register.
“The cross-site scripting bug is made all the more critical because it resides on a page that uses an extended validation secure sockets layer certificate. The new-fangled SSL mechanism is designed to give users a higher degree of confidence that the page they’re visiting is secure by turning their browser address bar green,” Goodin reports.
“But Finnish researcher Harry Sintonen figured out a way to inject his own code into a supposedly protected PayPal page even as the green bar lulled visitors into believing it hadn’t been tampered with,” Goodin reports.
“The discovery is one more reason to remain skeptical of extended validation SSL, which has always struck us as a solution in search of a problem. Yes, we know it’s supposed to close a loophole that’s long existed in SSL by certifying, in this case for example, that it is eBay (the parent company of PayPal) that owns the SSL certificate for the specific PayPal page. But we’ve not yet heard of a single attack involving a forged certificate, so we’re tempted to think the measure is more gimmick designed to generate revenue for VeriSign and its competitors than anything else,” Goodin reports.
“eBay security pros seem to have drunk the EV SSL Kool Aid, however, having announced recently that browsers that don’t support the new standard [includes Apple’s Safari for Mac and WIndows] aren’t welcome on the PayPal site,” Goodin reports.
Full article here.
Dumbasses.
Here’s what we wrote a month ago, in part: “Should Apple add EV SSL to Safari? Maybe, maybe not; regardless it’s really no substitute for users’ common sense. What’s next, anyway, XL SSL? XXL? SuperSized? Puleeze… PayPal is not your mommy, users need to be responsible for themselves, and EV certificates are a scam designed to extract more money from website operators under the guise of more security.”
Ha, ha, ha…
Sounds like Safari should block PayPal rather than the other way around.
A more expensive certificate does not a secure website make.
I block PayPal. I’ll never use them again.
The EVSSL is a crock. It’s nothing more than a scam that Microsoft and VeriSign (owned by Network Solutions) cooked up so that VeriSign can charge a boat-load more money for SSL certificates.
Be NICE, guys and gals … they are trying to do the right thing(s). It didn’t work out, but the motivation showed their heart was in the right place. Unlike MS, where the question is is their heart a) black or b) missing?
Sure, we can laugh at them, but … is there really any way to be 100% sure your web interaction is safe and secure? I don’t think so. You do your best and pray.
That’d be right. I’m blocking PayPal, which means sorry, bye bye ebay. Which is nothing more than a world wide garage sale anyway.
I am finnished
” width=”19″ height=”19″ alt=”wink” style=”border:0;” /> with PayPal.
Let me say that in Finnish.
PayPal on loppu minulle.
Rather than chasing after a new revenue stream, why don’t these folks concentrate on actually making SSL more secure, so this kind of thing can’t happen?
The fact that PayPal seemed so convinced that EVil SSL was more secure than it really is, has me concerned about where exactly their focus is: securing users’ data, or making more money for the folks behind EVil SSL?
@ DLMeyer:
Indeed. I want to be here when the Mac – yes, WHEN – gets an exploit that hoses people.
You think any OS/platform is perfect?
If you do, you better be prepared for the 9/11 that will someday hit your smartasses.
We’ve been lucky.
It won’t last forever.
Will you be so smug then?
“Dumbasses” is right – MDN and some of it’s visitors
@ DLMeyer:
To clarify, the previous post was only geared towards you in the first sentence – looking now, it looks like I’m saying the other things to YOU, which I’m not.
PayPal is not your mommy, users need to be responsible for themselves
Fair enough. So how do you know if you’re being spoofed (by a good spoofer, that is)? Not all of us have/use packet sniffers.
” width=”19″ height=”19″ alt=”raspberry” style=”border:0;” />
Where there’s money, there’s crime. Perhaps high-value targets like PayPal should consider dedicated client software, versus browser access? (Nothing against Safari, this has to do with SSL)
I’m sorry… Only a FOOL uses PayPal! Period.
@ Eric: Only a fool says something so blatantly stupid.
I’ve used it for years, and it’s SAVED me twice with two bad transactions.
Moron.
PayPal never said they wanted to block Safari you silly silly fools. MDN Get your facts straight before you post any more bile.
At least think before you make any comments. The 20 minute page load times on this site should give you plenty of opportunity to do that.
MDN the Dvorak of the Mac newsites.
Hey, after I use MacTheRipper, how exactly do I get my media into iTunes? iTunes seems to block the ability to save the stripped media in it’s folder….
Thanks
Jarrett… I just drag the media file over the movie or music list in the play list that I want it in. Itunes then copies it into it’s library.
“Indeed. I want to be here when the Mac – yes, WHEN – gets an exploit that hoses people.
You think any OS/platform is perfect?
If you do, you better be prepared for the 9/11 that will someday hit your smartasses.
We’ve been lucky.
It won’t last forever.”
no, most of us do not think there is a perfectly safe platform, but adding extra hoops to make you less safe seems, i don’t know, stupid.
no, the Mac platform has not been lucky. it is UNIX based and built to be good. no, it isn’t perfect, but it is designed with security in mind and not as an after thought.
the fact that you seem to not see the difference between luck and forethought tells me that it is in fact you are likely the moron.
to clarify, piss-off dumb-ass.
Man does the feedback here suck on weekends. 🙁
Seriously, are there any adults here? I’ve been on playgrounds more cultured than this.
Yeesh.
WOW, so much anger today. 🙁 Must be that June 9 is so far away.
” width=”19″ height=”19″ alt=”grin” style=”border:0;” /> Well hang in there.
Another topic.:
Will Apple stock tank before or after the June 6 event.???
Put another way, After June 6, will Apple stock surge down or jump up???
Just a thought.
en
PayPal SUCKS!!!
LOL – EAT CROW PAYPAL!
How’s it feel to to look like total fucking idiots all over the world!
Paypal is soooooooooo secure – NOT.
They should close paypal down and get Steve Jobs and Apple to create a truely secure site for inline payments – not some jumped up 16yr old who think he knows how to code.
It certainly comes to something when morons start to call other people morons after inventing supposed arguments that no one else has actually made until that moment.
Sorry guys, OS X is NOT Unix-based. That was the situation up to Tiger.
Mac OS X Leopard has been CERTIFIED UNIX. So it is *just* Unix, not Unix-based.
It is also the reason why it now grows even more in academic sector: you may develop in Mac OS X Leopard and compile in any other certified Unix platform and viceversa. Source that compile in one platform can then be compiled AND RUN without changes to the source code in any other Unix certified OS: in Leopard gone are the #ifdef #elif #else pre-processor statements in your code.
I use paypal – seems to work for me. I never buy anything on Safari – I always use Firefox.
Who cares – let Safari and Paypal block each other. Sip the Kool Aid – dont gulp.