PayPal suspends account of security researcher for showing its SSL vulnerability

image A PayPal account of an independent security researcher Moxie Marlinspike, an author of website, was suspended by the online payments company on the grounds he used their services for accepting payments for “items that show the personal information of third parties in violation of applicable law”. The suspension came after someone used his research into website authentication to publish a counterfeit certificate for the online payment processor.

The company failed to elicit any details on the item that violates the PayPal policy while with the suspension it effectively freezes over $500 in the account until Marlinspike submits a signed affidavit swearing he has removed the PayPal logos from his site.

Marlinspike has been using the payment processor’s services since 2002 to accept donations for its hacking tool he calls SSLSniff, and more recently he released a program called SSLStrip, which also includes the donate button. And it was only after someone published counterfeit SSL certificate on Monday that PayPal took action against the account.

Spokesperson for PayPal stated that the company does not “allow PayPal to be used in the sale or dissemination of tools which have the sole purpose to attack customers and illegally obtain individual customer information.” On the other hand the payment system and its parent company eBay approve groups distributing dozens of other hacking tools which includes Wireshark packet sniffer that can be used to reveal the passwords of unsuspecting victims, and yet its purveyors accept payments by PayPal.

The spokesperson didn’t deign to provide an explanation of how the company determines programs such as Wireshark and Cain & Abel have legitimate uses and the tools offered by Marlinspike do not.

Meantime, as Marlinspike explained during a training session at the Black Hat security conference in July he offered a class to penetration testers that taught them everything they’d need to test and carry out attacks on SSL certificates, and as part of that, he included a proof-of-concept certificate. He states that every student signed an agreement that stipulated the material was for the evaluation purposes only. He also added he had never accepted payments via PayPal for training. The only items distributed on the PayPal-adorned pages are SSLStrip and SSLSniff. Marlinspike said bogus certificates were never published on his site.


Comments are closed.