eBay v PayPal

The recent leak of eBay user details will put the spotlight on eBay. Interestingly the share price dropped about 2% on announcement of the leak, and quickly recovered, so the markets clearly don’t think this leak will have a significant impact on eBay (but I’ve still changed my password).

Probably the markets should be somewhat disturbed by the Google Panda 4.0 update, if stories of a major drop in eBay rankings in Google are to be believed. The conspiracy theorists will no doubt assume this is part of Google’s strategy for buying eBay on the cheap.

Back in 2002 eBay purchased PayPal. PayPal have always been in my mind a leader in web security, pushing through as they did HSTS. Although with financial organisations a lot of that cleverness is in watching transactions and identifying bad patterns and suspicious transactions, rather than expecting people to keep their credentials safe all the time (some will always leak).

Since PayPal deal directly with financial transactions, where as eBay is generally one step removed, the risk of direct attack in much greater for PayPal, so their safeguards should be correspondingly greater. If someone compromises your eBay account there are a number of frauds they could try, but they typically can’t immediately start emptying your bank account.

Thus the risks from the eBay hack surround issues like identity theft, and password reuse (I wonder what proportion of people use the same password for PayPal as eBay?).

I took a very quick look at the eBay and PayPal sites, not using any scanning technologies (other than Qualys SSL Labs) since that would be illegal without permission to gather a sense of how the two sites compare. Mostly this if for my own edification, and to allow me to compare how my own work compares with that of other web service providers.

eBay PayPal
Oldest TLS/SSL Protocol SSL 3 SSL 3
Latest TLS/SSL Protocol TLS 1.0 TLS 1.2
Encryption Keys Length (default Chrome) 128 128
RC4 Avoided No No
SSL Used Sign-In Only Always
Strict Transport Security Not Implemented 180 days
Perfect Forward Secrecy No No
Server header claims Apache-Coyote/1.1 Apache
Cookies marked HTTPonly 3 of 19 6 of 11
Cookies marked secure 0 of 19 (not using HTTPS all the time) 6 of 11
X-Content-Type-Options header Yes No
X-XSS-Protection header Yes No
X-Frame-Options Not Set SAMEORIGIN
Distinct Hostname used to load home page 14+ ignoring those blocked by browser security (see below) 5
Adverts Yes No
Flash Adverts Yes No
Observations Observations
Sign-in Page returns “Resource interpreted as Script but transferred
with MIME type text/html”
PayPal page source has a cool ASCII art “PayPal”
my.ebay.co.uk gives this error on loading: PayPal has cool MP4 video’s embedded
Blocked a frame with origin “http://pages.ebay.co.uk” from accessing a cross-origin frame.
The large number of servers is in part down to thumbs, in part down to sharing your use of eBay with Facebook, and in part advertisers. However all these things expand the target area for
attackers.

The above is a gross simplification of the sites behaviours, for example eBay uses several different server technologies, I just listed the first I found.

I was surprised that eBay still falls back to HTTP (site without a padlock) after you login. If advertising supported sites can afford to use HTTPS everywhere, its absence from eBay seems anomalous, especially since these days a lot of the cost is borne by content distribution networks. Staying with HTTPS (the padlock), like PayPal, means a whole host of attacks can’t even be attempted.

Overall my initial impression is confirmed. PayPal is (as one would expect) substantially better secured. I’ve highlighted in red “bad” things, and green “good” things for arbitrary definition of good and bad which are simply my humble opinion.

EBay, and to a lesser extent PayPal, aren’t keeping abreast of the latest developments to help them secure their sites, whilst clearing away all the junk. For PayPal this looks like mainly the difficulty of making big changes in large organisations, for eBay there is a hint of under investment.

SSL3 is one of the protocols behind the padlock (HTTPS), dropping it would mostly disadvantage Internet Explorer 6 users, and you don’t want to be using IE6 and there aren’t many IE6 users left. Although it is possible big sites can put a monetary cost on the impact of dropping SSL3, and decide it is worth keeping, I suspect it is simply no one has considered dropping it yet.

The use of various “X-” headers is mixed, with eBay doing something right, and PayPal others. Although eBay manages to serve content with wrong content type that the browser “sniffs” before reaching the pages which serve the “don’t sniff” header. X-XSS-Protection is probably less useful than it sounds, as it is probably the default for most browsers that understand it, I didn’t try and figure out if PayPal sends it when they detect less sensible browsers. Similarly the X-Frame-Options is less relevant when you haven’t taken steps to enforce the use of HTTPS in the first place. As such there is nothing in the “X-” headers that is THAT important.

The rest of the comparison boils down to eBay grabbing content from a lot more sites, and clearly don’t look for, or address warnings, that browsers spot in loading their pages.

There is nothing that has been disclosed so far that suggests eBay was compromised via the public website. I would refrain from using eBay on public Wireless networks due to HTTPS not being used throughout.

Leave a Reply

Your email address will not be published. Required fields are marked *