The Register columns are getting better and better at web security related content.
In one single article, Dan Goodin managed to:
- Report an XSS hole in PayPal "safe" area (the wet dream of all XSS kiddies), enabling all sort of profitable scams from credential stealing to automated transactions riding the session of an authenticated user.
- Make a very valid point about extended validation SSL certificates being overrated, if not just an expensive joke, because the green bar is more than happy of "certifying" XSS compromised pages as legitimate (obviously): in other words, the perfect phishing works even better if you've got a modern, secure browser supporting EV SSL :)
- Deride McAfee's Hacker Safe one more time for its ridiculous stance on XSS vulnerabilities -- OK, that's just beating a dead horse...
Considering the wide coverage this epidemics enjoyed in the past week, I wonder what a "Certified Professional" usually reads aside Microsoft EULAs...