[cryptography] not a Paypal phish using EV certificate

James A. Donald jamesd at echeque.com
Tue Aug 13 19:16:30 EDT 2013


On 2013-08-14 2:25 AM, Ben Lincoln (F70C92E3) wrote:
> On Tue, August 13, 2013 6:25 am, John Levine wrote:
>
>> I agree that it was not a great idea for Paypal to invent
>> paypal-communication.com rather than a subdomain of one of their
>> existing well-known domains such as communication.paypal.com.
> Using a different second-level domain is generally a security and/or
> bandwidth-optimization technique.
>
> It means that cookies for paypal.com aren't sent by the browser with every
> request to paypal-communication.com. This can provide huge inbound
> bandwidth reduction, depending on how cookie-heavy PayPal is.

Although websites often use huge numbers of huge cookies, one can easily 
optimize one's cookie use.  I can see no reason why anyone would ever 
need more than a single 96 bit cookie that is a random number.



More information about the cryptography mailing list