The problems appear to be connected to an SSL security certificate used by Omniture Inc., a company PayPal is using to collect aggregate data about people using its Web site, the PayPal spokesman said. SSL certificates are used by Web browsers, such as Internet Explorer and Firefox, to check the authenticity of a site and to let users know whether a site is spoofed or not. The spokesman said the problem affects a "small portion" of PayPal users.
Omniture started using a new so-called wildcard SSL certificate on Jan. 29 that is causing problems for users of Windows 98 systems and even some newer versions of Windows when they attempt to access PayPal. "Users running outdated operating systems, like Windows 98, as well as some that are using more recent software are seeing these warnings when they use the PayPal service," the spokesman said. The company is working with Omniture to diagnose the problem and to fix it, he said.
Using Firefox to access PayPal provides an immediate work-around for all users, he added.
A wildcard SSL certificate allows a company to use a single certificate to authenticate multiple subdomains within a larger domain.
Several users on a PayPal forum on eBay have complained over the last few days about error messages popping up on their screens warning about the validity of the certificate issued to the site.
"Since yesterday, I have been getting an error pop-up that won't let me sign into PayPal," one forum poster said on Feb. 2. "It comes up saying 'the security certificate for this site has been revoked,' and I've tried signing in through eBay and PayPal's [site] direct. Neither will let me in."
Another poster cited an error message saying the security certificate was "invalid or does not match the name of the site" on every PayPal page the poster attempted to access.
One poster Friday claimed to be getting error messages, even when using Internet Explorer 7. The poster claimed to have deleted all cookies and history files, downloaded the latest Windows Security Updates and tried accessing PayPal directly and via eBay -- and a message saying PayPal's certificate had been revoked still popped up.
"EBay and PayPal will not be receiving my business until this issue is completely resolved," the poster said. "I have lost money and product because of this issue and I am not a happy customer. It's like having my bank close its doors indefinitely and I can't get to my money to pay my customers," the poster said.
Several expressed frustration at what they claimed was a relative lack of clarification from PayPal on the issue.
Bruce Toski, a computer consultant in Fort Lauderdale, Fla., said that an examination of the certificate causing all the problems shows that it is issued by Thawte Inc., a Cape Town, South Africa-based issuer of SSL certificates that is wholly owned by VeriSign Inc. "One also sees that it is issued to Omniture, which appears to be a company that excels at data mining," said Toski.
He expressed concerns about "encrypted data streams" from PayPal being captured by Omniture, and said until he hears from PayPal about the cause of the issue, he is unwilling to ignore the security warnings he gets when attempting to access PayPal. "Till they tell me otherwise, I have to assume the worst," said Toski, who uses Windows 98.
In an apparent response to such concerns, a poster called Olive from eBay this morning posted a brief statement on the PayPal forum, offering an explanation that differs from the one offered by the spokesman this morning.
"The reason you are receiving the security certificate warning message when visiting the PayPal Web site is due to our recent implementation of Microsoft's Extended Validation certificates," the poster claimed. "We believe that this is occurring mostly for users using older operating systems, like Windows 98. Because Microsoft no longer supports Windows 98, [users of] this software are unable to receive security upgrades and may continue to see this message indefinitely."
The poster also suggested that "specific browser settings or configurations" could cause similar problems for users of more recent operating systems, including Windows XP and Vista. "We are working on diagnosing the situation and hope to have a resolution soon."
The PayPal spokesman this morning downplayed concerns from forum members about Omniture and said that the company is simply a widely used Web analytics company collecting data about the number of people visiting the site. "We use Omniture strictly to track aggregate data. We don't share or sell any personal or financial data" to the company, he stressed.
A spokesman from Omniture said the company is aware of the issue. "It has been escalated to the top of the priority list within the support organization, and it should be addressed by the end of the day today," he said Friday. He provided no details on the nature of the problem.