[cryptography] not a Paypal phish using EV certificate
andy at steingruebl.com
Tue Aug 13 12:19:37 EDT 2013
On Tue, Aug 13, 2013 at 6:25 AM, John Levine <johnl at iecc.com> wrote:
> In article <E1V9Ac6-0005vx-2g at login01.fos.auckland.ac.nz> you write:
> >I recently got a another of the standard phishing emails for Paypal,
> >me to https://email-edg.paypal.com, which redirects to
> >https://view.paypal-communication.com, which has a PayPal EV certificate
> >Verisign. According to this post
> >http://www.onelogin.com/a-paypal-phishing-attack/ it may or may not be a
> >phishing attack (no-one's really sure), and this post
> >http://www.linuxevolution.net/?p=12 says it is a phishing attack and the
> >will be shut down by Paypal... back in May 2011.
> >Can anyone explain this?
Definitely a PayPal domain. Not sure why reports of it being phishing
would have been confirmed. I've asked the right folks if there was a bug.
> I agree that it was not a great idea for Paypal to invent
> paypal-communication.com rather than a subdomain of one of their
> existing well-known domains such as communication.paypal.com.
An entirely separate discussion though about how one runs lower and higher
security things on the same domain given how inflexible the same-origin
policy and cookie policies are. I agree these are tricky, but putting
everything on one domain is tricky as well...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography