It's a big week for phishing attacks and SSL
There's a lot going on this week. We've seen the widespread publicity of the theft of free e-mail accounts across a broad range of webmail providers. And at the same time we've seen the first detected instance of a null character attack in the wild. This story is still ongoing, the latest development being that PayPal has shut off the account of the researcher who created the null character certificate being used in this attack.
The connection between these two events is the ongoing need for knowledge of authentic identity and the role of EV SSL in providing that knowledge. In the case of the e-mail sites, they take advantage of Extended Validation SSL very little, and so they're missing out on the opportunity to protect their customers (and suffering the resulting brand damage right now). That simple measure would go a long way in defending against straightforward phishing attacks.
On the other side of the spectrum we see PayPal, who is widely known to have adopted an all-in EV strategy from the very beginning. PayPal attributes to this strategy in part its success in greatly diminishing the quantity of phishing aimed at its brand, and we see that decision paying dividends again today. As opposed to the e-mail phish, this attack on PayPal is using the latest techiniques on the cutting edge. And yet, because PayPal is a rigorous EV user, the attack is rendered harmless to over two thirds of Internet users.