| ▲ | kragen 14 hours ago |
| Is this a legitimate alternative domain name for PayPal, or is it a parody or phishing site? It's not paypal.com. Apparently it's legit: https://news.ycombinator.com/item?id=45250319 |
|
| ▲ | e40 6 hours ago | parent | next [-] |
| It’s so dumb because they are training everyone to be phished by scammers. |
| |
| ▲ | devoutsalsa 4 hours ago | parent | next [-] | | I was learning about cold email marketing earlier this year, and it's all about learning to be a spammer: - Registering lots of domains (launchmyapp.com, trymyapp.com, myapp.info, gomyapp.biz, etc.) - setting up a limited number of mailboxes per domain - warming email accounts up for 2 weeks by signing up for a service that sends to and receive messages from your accounts - setting up a meta inbox to track messages sent and received across all of your accounts Now pretty much every domain that isn't myapp.com looks like a spammer's domain to me. | | |
| ▲ | HWR_14 3 hours ago | parent [-] | | > cold email marketing earlier this year, and it's all about learning to be a spammer You sound surprised. What's the difference between "cold email marketing" and "spamming"? | | |
| |
| ▲ | papyrus9244 4 hours ago | parent | prev | next [-] | | They do the same with emails. I've got emails from them with links to paypal-communication.com. It's stupid. | |
| ▲ | nokiz 4 hours ago | parent | prev [-] | | Related: https://dev.to/phalkmin/comment/30pjg |
|
|
| ▲ | unstatusthequo 13 hours ago | parent | prev | next [-] |
| Nice of them to cause confusion to make phoning easier. No, corp.paypal.com/news or PayPal.com/corp/newsroom etc weren’t a good idea. I’d love to hear how decisions like this get made. |
| |
| ▲ | JonathonW 12 hours ago | parent | next [-] | | This approach (using a separate domain for content that isn't part of their service itself) has security advantages-- for example, this way a compromise of their news site CMS can't expose users' PayPal session tokens. It's decently common for websites to do this-- this is the same reason why Github Pages is hosted at github.io rather than github.com, and why static blobs are at githubusercontent.com. Those have a somewhat different threat model than PayPal's news site (hopefully PayPal isn't letting any random person add news stories...), but the premise is the same: if the thing does not need authentication tokens for the main service, make it so that it's impossible for it to get them. (You could get some of the same effect by scoping your cookies to a specific subdomain rather than allowing them to apply to all subdomains, but (1) that's not always how you want to structure your site, and (2) it's really easy to mess up and inadvertently scope a cookie too broadly (or for the browser to misbehave and send to subdomains anyways, which was the default behavior of one very prominent browser for a really long time). Using a different domain entirely sidesteps all of this completely.) | | |
| ▲ | bilekas 10 hours ago | parent [-] | | Maybe I'm missing something but you can't separate you're session and authentication with a different subdomain? Eg. My session on corp.paypal.com would be locked down to solely corp.paypal.com. From a practical sense, what different does a subdomain and a dedicated domain offer if you're managing your certs correctly? | | |
| ▲ | SahAssar 9 hours ago | parent | next [-] | | You can, but a lot of people lack the discipline to do so correctly. I'd prefer them to use corp.paypal.com, but as a security guy it's easier to just get them a separate domain and let them have their less-secured stuff completely isolated. | |
| ▲ | c0balt 9 hours ago | parent | prev | next [-] | | You can, but is difficult and prone to errors. Separate domains solve the root cause of the issue. The alternative is an entry on the public suffix list. | | |
| ▲ | notpushkin 5 hours ago | parent [-] | | Which would not be easy to get, considering PayPal is not running a public suffix. | | |
| ▲ | asddubs 4 hours ago | parent [-] | | you can request entries on it, the list is not just for TLDs | | |
| ▲ | notpushkin 4 hours ago | parent [-] | | Yes, but the list is for public suffixes, i.e. domains under which users can get their own subdomains. |
|
|
| |
| ▲ | 9 hours ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | andylynch 4 hours ago | parent | prev [-] | | This is common for corporate investor relations sites. They serve entirely different audiences and are usually separately managed for the product sites, it’s also common for the latter to be blocked by the companies which are the target audience for the former. |
|
|
| ▲ | r_singh 8 hours ago | parent | prev [-] |
| I’ve always felt that we need a tool to be able to answer such a question. My bank also uses a different hyphenated domain name on emails… another use case could be to check for legit social media profiles cause fakes are popular too and may not be discernible for regular grass touching not-so-online in 2025 individual. |
| |
| ▲ | addandsubtract 7 hours ago | parent | next [-] | | Maybe we could introduce the concept of subdomains. Paypal could, for example, have a corp.paypal.com address that points to their corporate blog. I know, a bit out there, but maybe DNS2 will ship with this feature. | | |
| ▲ | vbezhenar 5 hours ago | parent [-] | | With subdomains, you might leak cookies accidentally or maliciously to the root domain. They are not as separated as real domains are. | | |
| ▲ | progval 5 hours ago | parent [-] | | Then don't put anything on the root domain and use www.paypal.com for the main operations. corp.paypal.com's cookies are separated from www.paypal.com's. | | |
| ▲ | jeroenhd 4 hours ago | parent | next [-] | | But paypal.com's cookies are shared with corp.paypal.com and, depending on headers and fields, possibly vice versa. My browser lists 8 .paypal.com cookies and 2 www.paypal.com cookies when I visit www.paypal.com. Those cookies are shared with https://fastlane.paypal.com/ (some random subdomain I found online). They can separate those cookies out, of course, but they don't need to if they use separate domains and the cheapest work is work that doesn't need doing. They also seem to own paypal.ai which mcp.paypal.com redirects to the docs of it could also just be a branding thing. | |
| ▲ | vbezhenar 3 hours ago | parent | prev [-] | | www.paypal.com can create cookie for paypal.com and that cookie will be sent for corp.paypal.com requests. And vice-versa, of course. |
|
|
| |
| ▲ | cosmosgenius 4 hours ago | parent | prev | next [-] | | EV Certs used to do exactly that for me, that is until browser stopped make the visuals of it special. Don't think it would be even viable today given the short expiry (which is a good thing) of TLS certs necessary for browser https://en.wikipedia.org/wiki/Extended_Validation_Certificat... | | |
| ▲ | jeroenhd 4 hours ago | parent | next [-] | | You can still do all the checks you need, they're right there in the connection properties. This website is OV-certified (not EV) to PayPal, Inc. in San Jose by DigiCert Inc. You do need to know what US state PayPal is registered in for them to work, of course, as proven by https://arstechnica.com/information-technology/2017/12/nope-... during the time EV certificates were still considered special. I don't see why EV wouldn't be viable. ACME can work with any certificate. A certificate authority can just sign new certificates every week at the request of an authenticated ACME client. The biggest issue with this workflow is the CA's billing flow optimised for the "pay once, hand over a file once" workflow. | | |
| ▲ | nailer 16 minutes ago | parent [-] | | I talked about introducing a notability criteria in the US, and other jurisdictions where duplicate registrations are possible. The Chrome people weren't interested. |
| |
| ▲ | shim__ 4 hours ago | parent | prev [-] | | Shouldn't be an issue to deliver two certificates an short lived one for TLS, an long lived one for the identity |
| |
| ▲ | ricardo81 5 hours ago | parent | prev [-] | | WHOIS used to be semi useful, though most records tend to be redacted for the average user now. `dig` on DNS also, if it resolves to the same IP as paypal for example, that adds confidence. Though again, nowadays less useful due to a lot of things being behind Cloudflare. |
|
