The recent leak of eBay user details will put the spotlight on eBay. Interestingly the share price dropped about 2% on announcement of the leak, and quickly recovered, so the markets clearly don’t think this leak will have a significant impact on eBay (but I’ve still changed my password).
Probably the markets should be somewhat disturbed by the Google Panda 4.0 update, if stories of a major drop in eBay rankings in Google are to be believed. The conspiracy theorists will no doubt assume this is part of Google’s strategy for buying eBay on the cheap.
Back in 2002 eBay purchased PayPal. PayPal have always been in my mind a leader in web security, pushing through as they did HSTS. Although with financial organisations a lot of that cleverness is in watching transactions and identifying bad patterns and suspicious transactions, rather than expecting people to keep their credentials safe all the time (some will always leak).
Since PayPal deal directly with financial transactions, where as eBay is generally one step removed, the risk of direct attack in much greater for PayPal, so their safeguards should be correspondingly greater. If someone compromises your eBay account there are a number of frauds they could try, but they typically can’t immediately start emptying your bank account.
Thus the risks from the eBay hack surround issues like identity theft, and password reuse (I wonder what proportion of people use the same password for PayPal as eBay?).
I took a very quick look at the eBay and PayPal sites, not using any scanning technologies (other than Qualys SSL Labs) since that would be illegal without permission to gather a sense of how the two sites compare. Mostly this if for my own edification, and to allow me to compare how my own work compares with that of other web service providers.
| eBay | PayPal | ||
| Oldest TLS/SSL Protocol | SSL 3 | SSL 3 | |
| Latest TLS/SSL Protocol | TLS 1.0 | TLS 1.2 | |
| Encryption Keys Length (default Chrome) | 128 | 128 | |
| RC4 Avoided | No | No | |
| SSL Used | Sign-In Only | Always | |
| Strict Transport Security | Not Implemented | 180 days | |
| Perfect Forward Secrecy | No | No | |
| Server header claims | Apache-Coyote/1.1 | Apache | |
| Cookies marked HTTPonly | 3 of 19 | 6 of 11 | |
| Cookies marked secure | 0 of 19 (not using HTTPS all the time) | 6 of 11 | |
| X-Content-Type-Options header | Yes | No | |
| X-XSS-Protection header | Yes | No | |
| X-Frame-Options | Not Set | SAMEORIGIN | |
| Distinct Hostname used to load home page | 14+ ignoring those blocked by browser security (see below) | 5 | |
| Adverts | Yes | No | |
| Flash Adverts | Yes | No | |
| Observations | Observations | ||
| Sign-in Page returns “Resource interpreted as Script but transferred with MIME type text/html” |
PayPal page source has a cool ASCII art “PayPal” | ||
| my.ebay.co.uk gives this error on loading: | PayPal has cool MP4 video’s embedded | ||
| Blocked a frame with origin “http://pages.ebay.co.uk” from accessing a cross-origin frame. | |||
| The large number of servers is in part down to thumbs, in part down to sharing your use of eBay with Facebook, and in part advertisers. However all these things expand the target area for attackers. |
|||
The above is a gross simplification of the sites behaviours, for example eBay uses several different server technologies, I just listed the first I found.
I was surprised that eBay still falls back to HTTP (site without a padlock) after you login. If advertising supported sites can afford to use HTTPS everywhere, its absence from eBay seems anomalous, especially since these days a lot of the cost is borne by content distribution networks. Staying with HTTPS (the padlock), like PayPal, means a whole host of attacks can’t even be attempted.
Overall my initial impression is confirmed. PayPal is (as one would expect) substantially better secured. I’ve highlighted in red “bad” things, and green “good” things for arbitrary definition of good and bad which are simply my humble opinion.
EBay, and to a lesser extent PayPal, aren’t keeping abreast of the latest developments to help them secure their sites, whilst clearing away all the junk. For PayPal this looks like mainly the difficulty of making big changes in large organisations, for eBay there is a hint of under investment.
SSL3 is one of the protocols behind the padlock (HTTPS), dropping it would mostly disadvantage Internet Explorer 6 users, and you don’t want to be using IE6 and there aren’t many IE6 users left. Although it is possible big sites can put a monetary cost on the impact of dropping SSL3, and decide it is worth keeping, I suspect it is simply no one has considered dropping it yet.
The use of various “X-” headers is mixed, with eBay doing something right, and PayPal others. Although eBay manages to serve content with wrong content type that the browser “sniffs” before reaching the pages which serve the “don’t sniff” header. X-XSS-Protection is probably less useful than it sounds, as it is probably the default for most browsers that understand it, I didn’t try and figure out if PayPal sends it when they detect less sensible browsers. Similarly the X-Frame-Options is less relevant when you haven’t taken steps to enforce the use of HTTPS in the first place. As such there is nothing in the “X-” headers that is THAT important.
The rest of the comparison boils down to eBay grabbing content from a lot more sites, and clearly don’t look for, or address warnings, that browsers spot in loading their pages.
There is nothing that has been disclosed so far that suggests eBay was compromised via the public website. I would refrain from using eBay on public Wireless networks due to HTTPS not being used throughout.
