And they wanted to block Safari: PayPal’s EV SSL page and its vaunted green URL vulnerable to attack
Saturday, May 17, 2008 - 09:49 AM EDT"A serious scripting error has been discovered on PayPal that could enable attackers to create convincing spoof pages that steal users' authentication credentials," Dan Goodin reports for The Register.
"The cross-site scripting bug is made all the more critical because it resides on a page that uses an extended validation secure sockets layer certificate. The new-fangled SSL mechanism is designed to give users a higher degree of confidence that the page they're visiting is secure by turning their browser address bar green," Goodin reports.
"But Finnish researcher Harry Sintonen figured out a way to inject his own code into a supposedly protected PayPal page even as the green bar lulled visitors into believing it hadn't been tampered with," Goodin reports.
"The discovery is one more reason to remain skeptical of extended validation SSL, which has always struck us as a solution in search of a problem. Yes, we know it's supposed to close a loophole that's long existed in SSL by certifying, in this case for example, that it is eBay (the parent company of PayPal) that owns the SSL certificate for the specific PayPal page. But we've not yet heard of a single attack involving a forged certificate, so we're tempted to think the measure is more gimmick designed to generate revenue for VeriSign and its competitors than anything else," Goodin reports.
"eBay security pros seem to have drunk the EV SSL Kool Aid, however, having announced recently that browsers that don't support the new standard [includes Apple's Safari for Mac and WIndows] aren't welcome on the PayPal site," Goodin reports.
Full article here.
MacDailyNews Take: Dumbasses.
Here's what we wrote a month ago, in part: "Should Apple add EV SSL to Safari? Maybe, maybe not; regardless it's really no substitute for users' common sense. What's next, anyway, XL SSL? XXL? SuperSized? Puleeze... PayPal is not your mommy, users need to be responsible for themselves, and EV certificates are a scam designed to extract more money from website operators under the guise of more security."
Apple Store Advertisements:
• Buy a Mac for college and get a free iPod touch. Order online and get free shipping. Expires 9/15.
• Buy any new Mac and get $30 off your first year of MobileMe subscription. Pre-order MobileMe at the Apple Store today.
• The all-in-one iMac. Now at speeds up to 3.06GHz. Free shipping. From $1199
• The more powerful Macbook Pro. Latest Intel Core 2 Duo, Multi-Touch trackpad, and more. From $1999.
• MacBook. Now even Faster. Featuring Intel Core 2 Duo up to 2.4GHz. From $1099.
• Pump up the volume. iPod touch. Now in 32GB. Free Shipping.
• iPod nano. Now with video. Starting at $149. Free shipping.
• Visit the Apple Store today. Free ground shipping on all orders over $50
[MacDailyNews and iPodDailyNews are Apple Store Affiliates. If you buy something from the Apple Store within 24-hours after clicking any one of our Apple Store ads, we will receive an affiliate percentage from Apple. There is no extra cost to you. Thank you in advance for your support.]
Related articles:
PayPal: We won’t block Safari users - April 19, 2008
PayPal plans to block Safari users - April 18, 2008
PayPal advises Mac users not to use Safari - February 29, 2008
= 
with PayPal.
Well hang in there. 
Ha, ha, ha...