Extended Validation No Guarantee Against Cross-Site Scripting Attacks
Given that anyone can get an SSL Ceritifcate these days for next to nothing, that “lock” in your browser only means that the content is encrypted. What you may or may not know is, who you are connecting with–something SSL was designed to solve.
Internet Explorer 7 and Firefox 3 beta support something that is called Extended Validation (EV) SSL certificates. Basically, in order to get an Extended Validation certificate, you must pass a certain set of criteria–and pay an order of magnitude more money–for the privilege. What will you get? Users using a EV-enabled browser will get a green bar in your URL field saying “yes, you’ve connected to PayPal” or whomever.
Leave it to someone to find a cross-site scripting vulnerability–in PayPal, no less. This means someone can inject code–through another site–into Paypal. If you’re logged into PayPal when this code runs, who knows what could happen!
With multi-tabbed web browsers the norm these days, where you’re potentially logged into multiple web sites, it’s entirely possible for a script on one page to “inject code” on a different website and do nefarious things on your behalf–without your knowledge!
What can you do about it? For critical sites like PayPal, run it in a completely different browser. If you normally use Firefox? Use IE. Or Opera, or Safari. A cross-site scripting vulnerability will have a challenge crossing the boundary to another program.
If you run Firefox like me, the NoScript plugin provides some protection against XSS attacks.