[cryptography] not a Paypal phish using EV certificate

Ben Lincoln (F70C92E3) F70C92E3 at beneaththewaves.net
Tue Aug 13 12:25:23 EDT 2013


On Tue, August 13, 2013 6:25 am, John Levine wrote:

> I agree that it was not a great idea for Paypal to invent
> paypal-communication.com rather than a subdomain of one of their
> existing well-known domains such as communication.paypal.com.

Using a different second-level domain is generally a security and/or
bandwidth-optimization technique.

It means that cookies for paypal.com aren't sent by the browser with every
request to paypal-communication.com. This can provide huge inbound
bandwidth reduction, depending on how cookie-heavy PayPal is. This is one
of the reasons that a lot of high-traffic websites have a separate
second-level domain for static content.

It also means that if paypal-communication.com is compromised (maybe it is
run by a separate team with less-restrictive security practices than the
main site), it can't be used to host XSS attacks against the main PayPal
site, or server-side code that reads sensitive data from paypal.com
cookies, because a different second-level domain doesn't see the cookies
for the main site, and JavaScript hosted on paypal-communication.com can't
trigger actions on the client related to paypal.com unless a page on
paypal.com explicitly includes a script that's hosted on
paypal-communication.com.

Unfortunately, it does look somewhat suspicious from a phishing
perspective, especially if a link to a paypal.com subdomain redirects to
it, which (to an end user) looks a lot like what happens when a link to a
phishing site is disguised as a link to the real site.



More information about the cryptography mailing list