« Safari in PayPal's Crosshairs? | Main | URL Typo Correction Services Kill »

April 20, 2008

The Problem With EV SSL

PayPal’s “get tough on insecure browsers” stance sounds good, but a SANS blogger argues that a browser’s support of EV SSL certificates is hardly the criterium by which PayPal should be judging browser security:

“The question remains, is a user able to discern an EV Signed site from other SSL signed sites to know the difference. Academic research indicates that, no, EV certificates make no impact on users spotting fraudulent sites or not.

“The purpose of an EV SSL certificate is to authenticate a website to a user, period. PayPal, however, is wanting to use EV SSL support as a way of authenticated a user to PayPal. That makes no sense. PayPal has an interest in authenticating people who want to use their service are valid. The presence or absence of EV SSL support in their browser is irrelevant. Does anyone really think that say, the Russian Mob, won’t be able to use IE to process PayPal transactions with stolen credentials?

“This stance won’t, for instance, prevent users from getting keyloggers on their machines to steal the information, being infected with a trojan that will silently process transactions while the user is logged-in, money mules from doing the heavy lifting for malicious individuals, cross-site scripting, or from a user giving up their credentials in a phishing attack to another website. In short, an EV SSL enabled browser proves nothing.”

(Link)

Previously:

• Safari in PayPal’s Crosshairs?
• PayPal: Avoid Safari

E-mail   0 Comments    Digg This    add to del.icio.us

Posted by mhall at 3:53 PM | Add Comment

Leave a comment

Name

Email Address

URL

Remember personal info?

Comments (You may use HTML tags for style)

Captcha:

Type the characters you see in the picture above.