Paypal TLS Sercurity/Certificate information wrong - False negative EV (Extended Validation)

Hello,

Problem:
- Goto: http://industryrecycles.com/ and add an article to your card
- Click on the "check out with paypal" button and your redirected to paypal.com
- At first the adress bar flashes green and shows that the site is secure, than the green disappears after a few seconds and the site is shown as it would offer no security functions at all

This problem has nothing to do with the latest TLS security issue. When I log in to my ebanking site, I get the strong green adress bar and it shows the same information as the paypal site ("the server does not support secure TLS renegotiation" / TLS v1.0 256bit AES 2048bit).
So it's not the definition of Opera's the strigt EV (Extended Validation) and it's not Paypal either, because FF shows the site as green EV.

This sucks, because Paypal Checkout Express is always reached from a 3rd party site and you're redirected. So you definitely want to know if you're on the right site after the redirection. To use an unreliable EV (doesn't matter if false positive or negative) is absolutely lethal.

This refers to stable Opera releases as well as the actual v12 snapshots. Nevertheless these had several TLS fixes recently which is why I posted it here.

The direct cause seems to be a regression in 11.5x when the webpage contain a iframe that directly references an image. In this case a bug in internal processing accidentally lowers the security level to 0. I have sent an email to paypal about the issue and told them how to work around it.

Thanks for the quick answer and the background info yngve. However I don't really understand...

Originally posted by yngve:

The direct cause seems to be a regression in 11.5x

Originally posted by yngve:

a bug in internal processing accidentally

Why did you advice paypal to work around a regression that occurs in Opera? And if it's a known regression at Opera, why is it still present in the 11.60 and 12 snapshots (I guess these are developed independently)?

Don't get me wrong, I don't want to flame, but why should a big company fix an issue of a 3rd party browser when most users with other browsers with bigger market shares have no problems?

If it's really an Opera issue that is not a design error based on security standards compliance, I guess Opera has to initiate solving here.

Originally posted by sacharja:

Why did you advice paypal to work around a regression that occurs in Opera?

Because that could get the problem resolved for the all 11.5x users well before an updated version of Opera can be released.

Originally posted by sacharja:

And if it's a known regression at Opera, why is it still present in the 11.60 and 12 snapshots

What about my statement makes you think the issue was known before today? What I know, regarding the regression, is that this does not fail in 11.11 and that it does fail in 11.52 and the most recent build I have of the 11.60 version, which indicates that the problem was introduced in 11.50 (which is why I call it a "regression").

AFAICT this problem has not been reported before, and considering the frequency and speedy arrival of reports saying "this page is not marked as secure, but should have been", I suspect that the reason that specific this problem at Paypal Checkout has not been reported earlier (there are no relevant Paypal related issues reported in BTS, except the one I filed today, and there seem to be no related posts in the forums, either) is this it is very recent occurrence. It might very well be that Paypal recently tweaked their web site design (if so, probably earlier this week), and thus accidentally triggered the problem.

Originally posted by yngve:

is this it is very recent occurrence.

Unhappy coincidence that my first use of paypal checkout was exactly in this time (didn't use one shop because of this).

Paypal seems to insert the hidden iframe as a counter Hopefully it's fixed soon (one way or the other), now that everybody is used to the green/yellow adressbar security information.

However, thank you for reporting/documenting and the useful information

I have noticed similar behaviour on my bank's new internet banking site (https://moja.tatrabanka.sk/ib-beta/ibanking.html). I was already writing a notice to them, but then I found this thread.
So before reporting to them, I would like to be sure, not to make a fool of myself by reporting to them a bug in my browser. Can anybody investigate, as I myself am not enough HTML specialist to do so.
Thanks.

As a sidenote, this behaviour demonstrates on this site also in Opera 10.60, so the regress would be pretty deep-going.

dvorax: This is not a regression, it is by design.

In this case it is the website's use of a ("secure") Flash applet loading unsecure resources that is causing the lowering of the security level (mixed security as we call it). It is downloading two unsecure files from http://fpdownload.adobe.com/ (http://fpdownload.adobe.com/pub/swz/crossdomain.xml and http://fpdownload.adobe.com/crossdomain.xml ), and that is, as it is supposed to do, lowering the security level for the entire document.

The website will have to fix the applet to load those files from the HTTPS source instead, and IMO those files should be moved to their own domain and not downloaded from a third party site.

Still not fixed in #1169 or Opera 12.

Unfortunately it's not only paypal but other sites too. Using a hidden iframe within encrypted sites as a counter seems not so uncommon