'Secure' PayPal page is... you guessed it

Agree!!

^^^^ Agree. Thats a very good point!!

@Herby

Considering that phishers are quite capable of producing HTML email that looks like plain text (it's not difficult), I don't quite see where the "much safer" comes from.

<mode="jaded_sysadmin">

"Much safer" would include not having email clients that display HTML. Many thanks to Microsoft, who started the whole HTML-email crap, and persisted despite numerous warnings of security risks.

McAfee opens mouth, inserts foot. Again. So does anarchic-teapot.

"Despite the proliferation of XSS attacks, McAfee's ScanAlert, which provides daily audits of ecommerce websites to certify them "Hacker Safe" gives clients the thumbs up even when XSS vulnerabilities are discovered on their pages."

John McAfee continues his tradition of after-the-fact security for at least twelve years. You have him to thank for convincing the media, and therefore the public, to use reactive anti-virus technology.

"Many thanks to Microsoft, who started the whole HTML-email crap, and persisted despite numerous warnings of security risks."

Mister Teapot, in the process of calling the kettle black, you forgot that you have Netscape Communications to blame for this one.

http://en.wikipedia.org/wiki/Browser_timeline

Netscape 3, complete with "Rich Text" e-mail as they called it, came out in 1996. Compare with IE3's release in January 2007. Further, Outlook didn't support HTML e-mail until Outlook 98, and Outlook Express / Internet Mail and News didn't support it until IE4 came out. You have Netscape Communications to blame for HTML e-mail, not Microsoft. You also have Netscape to blame for (shudder) Javascript.

I'd have taken the older scourge of winmail.dat attachments over HTML e-mail, brought to you by Netscape.

Fellow Amigoid!

Harry is an active member of the Amiga community. It is pretty neat to see an accomplishment like this come from our neighborhood.

Paris, because she is pretty neat, too.

PayPal and eBay sucks

You'd think that Apple owns the two of them considering the BUGGINESS and Greediness of the two companies are so alike.

We teach our kids to cross the roads carefully

isn't it time we took the same attitude to the Internet? You can lay down as many laws as you want and patch the holes as they are found but the Internet is always going to be a dangerous place. Teaching people to "Stop, look, listen" when on line wont make the web safer but it will reduce the number of people blindly walking into the obvious scams.

Behind the green bar

You pay more and have to jump through more hoops to get a digital certificate that triggers the green bar in the newer browsers. Well, you had to pay more and jump through more hoops to get a 'commercial' certificate in the 'old days' (TM). Obviously the vetting of the certificate providers was not good enough... so now you pay more to them again and jump through higher hoops again just because the providers didn't do a good job way back when. And they can get away with it!

"Unauthorized withdrawals or purchases made on PayPal accounts are fully reimbursed"

Careful now... you won't be reimbursed if somebody pays you with stolen credit card details - the card victim's bank will claim the money back with a chargeback, leaving you out of pocket; and you can't expect any sympathy (or in my experience, even a reply) from Paypal.

Don't use Paypal for anything other than small transactions that you don't mind losing out on.

@Phreaky

....Not even a mention of Apple, Billy must be proud of you

Not an EV issue at all

Once again EV gets bashed and without really understanding the concept behind it.

EV doesn't make anything "more secure", it sets a level playing field for the validation that is done to certify the business is a legitimate entity to trade with. SSL is more than just about encryption.

There is no "loop hole" in SSL, its just nobody ever checks the relying party agreements or Certificate policy statements so they can actually see what has been done to validate the entity before trusting a site. With EV at least its a standard approach which should be less confusing for the end user in the future.

Get your facts right before shamelessly bashing a technology that could actually bring down the cost of SSL, and provide higher levels of trust in the future.

re: HTML email

Exactly the point i've been making for years - one notable example of banks practising piss-poor security was an email from, IIRC, MBNA - sent via an unknown third party, and linking to their login page via yet another unknown third party.

I sent this little beauty direct to the banking ombudsman about 3 years ago pointing out how ridiculously stupid the bank had to be to operate in this manner, despite complaining about losses through fraud.

The response - "it's common industry practice"

So is fraud, but it doesn't mean it's right...

Ah, it's the weekend...

...they've let Webster out of the cage *g*

I like this whole "turn green" idea. I mean, if that happened on Camino or Safari while using PayPal I would feel... very confident about something being fishy.

Let the problem solve itself

@oliver

"Teaching people to "Stop, look, listen" when on line wont make the web safer but it will reduce the number of people blindly walking into the obvious scams."

In my view, people that blindly walk into these scams shouldn't be allowed to use computers in the first place, in the same way that people aren't allowed to drive cars without a demonstration of aptitude.

It's just sad that being a retard online doesn't have more fatal consequences, like when people don't "Stop, look, listen" and walk blindly into traffic.

Re: HTML email

NT 4.0 had IE as a standard browser, in 1996. If I recall right, it was IE 2.0.

Also some kind of email-program, called "Internet Mail" in setup, probably some ancient version of Outlook. (I'm running NT on a machine but of course those have been ripped out and replaced with safer software years ago. In NT you actually could get rid of IE completely.)

Both of course updated regularly in service packs.

I have a NT 4.0 SP1 installation CD so if there's disagreement with dates, I can install it on some machine and check.

Netscape 4.61 seems to be dated at 27.5.1999. I know I have earlier versions down to 2.x, but the machines they are in, are stored elsewhere.

Anyway, HTML in e-mail is a serious security risk and should be banned immediately and all messages containing it scrapped as spam/phishing attempt.

DNC

Do Never Clicksee

@SteveNZ

"if we are using Wikipedia as the truth...."

"O, that way madness lies; let me shun that; No more of that."

This quote comes from William Shakespeare's "King Lear". Taken from the famous scene when Lear looks at his Wikipedia entry and finds that he's been written up as Hitler's gay lover, a kiddie-fiddler with extensive investments in the arms trade and bio-tech industries and the original author of Black Lace's chart-topper "Agadoo".

@SteveNZ

>>it was the first version of OE - bundled with IE4 in Sep/Oct 2007

OE was 2007 was it? Looks like space time has got disturbed somewhere. ISTR OE on Win98...

mines the one with Pedant written across the back.

Yeeipes!

Ok dudes, stop messing with timelines... two people have messed with space-time and now both IE3 and Outlook Express have born in 2007 instead of 1996/97???

Mine's the one with the DeLorean's keys...

It's even worse

I frequently use Lynx to browse. It is text only. But places where I would want the most security (like banks) sometimes refuse to deal with a browser that doesn't do Javascript, let alone HTML.