“A serious scripting error has been discovered on PayPal that could enable attackers to create convincing spoof pages that steal users’ authentication credentials,” Dan Goodin reports for The Register.
“The cross-site scripting bug is made all the more critical because it resides on a page that uses an extended validation secure sockets layer certificate. The new-fangled SSL mechanism is designed to give users a higher degree of confidence that the page they’re visiting is secure by turning their browser address bar green,” Goodin reports.
“But Finnish researcher Harry Sintonen figured out a way to inject his own code into a supposedly protected PayPal page even as the green bar lulled visitors into believing it hadn’t been tampered with,” Goodin reports.
“The discovery is one more reason to remain skeptical of extended validation SSL, which has always struck us as a solution in search of a problem. Yes, we know it’s supposed to close a loophole that’s long existed in SSL by certifying, in this case for example, that it is eBay (the parent company of PayPal) that owns the SSL certificate for the specific PayPal page. But we’ve not yet heard of a single attack involving a forged certificate, so we’re tempted to think the measure is more gimmick designed to generate revenue for VeriSign and its competitors than anything else,” Goodin reports.
“eBay security pros seem to have drunk the EV SSL Kool Aid, however, having announced recently that browsers that don’t support the new standard [includes Apple’s Safari for Mac and WIndows] aren’t welcome on the PayPal site,” Goodin reports.
Full article here.
Here’s what we wrote a month ago, in part: “Should Apple add EV SSL to Safari? Maybe, maybe not; regardless it’s really no substitute for users’ common sense. What’s next, anyway, XL SSL? XXL? SuperSized? Puleeze… PayPal is not your mommy, users need to be responsible for themselves, and EV certificates are a scam designed to extract more money from website operators under the guise of more security.”