Will Paypal block Safari?
I picked this piece of news from Pinoytechblog, which in turn was quoting Computerworld.
So is it true that Paypal will block Safari?
So does that mean the Safari is inherently less secure?
In an interview posted by Macworld, Paypal’s Chief Information Security Officer, Michael Barrett, cites that Safari doesn’t make PayPal’s list of recommended browsers because it doesn’t have two important anti-phishing security features.
Unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites, Barrett said. Another problem is Safari’s lack of support for another anti-phishing technology, called Extended Validation (EV) certificates. This is a secure Web browsing technology that turns the address bar green when the browser is visiting a legitimate Web site.
When it comes to fighting phishing, “Safari has got nothing in terms of security support, only SSL (Secure Sockets Layer encryption), that’s it,” he said. Apple representatives weren’t immediately available to comment on this story.
An emerging technology, EV certificates are already supported in Internet Explorer 7, and they’ve been used on PayPal’s Web site for more than a year now. When IE 7 visits PayPal, the browser’s address bar turns green — a sign to users that the site is legitimate. Upcoming versions of Firefox and Opera are expected to support the technology.
But here’s the thing: I couldn’t find anything in the PDF file that mentions that Paypal will be blocked.
What it does mention is Paypal’s proposed three tier approach:
There is of course, a corollary to safer browsers – what might be called “unsafe browsers.” That is, those browsers which do not have support for blocking phishing sites or for Extended Validation Certificates (a technology we will discuss later in this section). In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts.
The alarming fact is that there is a significant set of users who use very old and vulnerable browsers, such as Microsoft’s Internet Explorer 4 or even IE 3. Inevitably, this set of users is a subset of the passive group. We argue that it’s critical to not only warn users about unsafe browsers, but also to disallow older and insecure browsers. Further, we suggest that any Web site that asks for personal or financial information should consider logic along the following lines:
Version N (current) – allow with no messaging.
Version N-1 (previous major version) – allow, but with a warning message.
Version N-2, or older – disallow, with a message indicating why.
At PayPal, we are in the process of re-implementing controls which will first warn our customers when logging in to PayPal from those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe – usually the oldest – browsers.
Nowhere does it mention that Safari will be blocked. Ars Technica is also careful not to jump to conclusions (bold texts are mine):
Second-tier browsers, defined as being one major browser version back from the current version, will be allowed to log in, but will be warned that their browser version is out of date and does not include a phishing filter or does not support Extended Validation SSL certificates. PayPal doesn’t list the current browsers it considers to be second-tier, but the title would presumably apply to Firefox 1.5, Opera 8, and Internet Explorer 6.
Third-tier browsers are the only browsers that would be blocked from accessing PayPal altogether. Again, PayPal is light on the details, though the company does state that both Internet Explorer 3 and IE 4 fall into this category. The most surprising part of the company’s presentation, in fact, may have been its revelation that some PayPal users are actually still using IE 3 at all. Other browser versions likely to fall in this category include Opera 3.5 and below, and any 4.xx version of Netscape, IE 5.0/5.5, Opera 4.0-7.2, Firefox 1.0, and extremely early versions of Camino could potentially fall into either category.
But is Safari less secure than the competitors? I subscribe to the same thinking as that of Jeremiah—Phishing attacks are attacks on visitors, not technology; and thus, the solutions aren’t likely to be technical. User education for me is key: do not click on URL links in email messages. If people don’t follow this simple advice, I don’t think any amount of browser pop-up warnings will be effective. Jeremiah also points out a study performed on Extended Validation, which makes this conclusion (again, bold texts are mine):
New browser technologies such as extended validation have the potential to defend against fraud by identifying the source of the content displayed on the screen. In this paper, we presented a controlled between-sub jects evaluation of the extended validation user interface in Internet Explorer 7. Unfortunately, participants who received no training in browser security features did not notice the extended validation indicator and did not outperform the control group. The participants who were asked to read the Internet Explorer help file were more likely to classify both real and fake sites as legitimate whenever the phishing warning did not appear.
If extended validation becomes widespread, we expect that online criminals will try to mimic its trust indicator, just as they have copied other legitimate financial websites in the past. Like its predecessor, the lock icon, extended validation is vulnerable to picture-in-picture user interface spoofing attacks. We found these attacks to be as effective as homograph attacks, the best known phishing attack. Designing a user interface that resists both homograph and picture-in-picture attacks should be a high priority for designers of future browsers.
April 20 2008 12:15 pm | Software
