“PayPal, one of the brands most spoofed in phishing attacks, is working on a plan to block its users from making transactions from Web browsers that don’t provide anti-phishing protection,” Ryan Naraine reports for eWeek.
“The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered ‘unsafe’ for financial transactions,” Naraine reports.
“‘In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,’ said PayPal Chief Information Security Officer Michael Barrett,” Naraine reports.
“In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, Barrett said there’s a ‘significant set of [PayPal customers] who use very old and vulnerable browsers’ and made it clear that any browser that falls into the ‘unsafe’ category will be banned,” Naraine reports.
“Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of ‘unsafe browsers,’ but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates,” Naraine reports. “The EV SSL certificates are meant to provide trust to Web-based transactions. For example, if you use Microsoft’s IE 7 to visit a Web site secured with an EV SSL certificate, the URL address bar is displayed in green and offers the ability for the user to toggle between the organization name listed in the certificate and the issuing Certificate Authority.”
“Firefox and Opera have announced their intention to support EV SSL in upcoming releases,” Naraine reports. “Apple’s Safari browser, which is being aggressively pushed to Windows users, could conceivably be banned from accessing PayPal.com under the plan outlined by Barrett.”
Full article here.
[Thanks to MacDailyNews Reader “B-sabre” for the heads up.]
If you’re stupid enough to click on a “PayPal” link in an email, you must be a Windows user.
Q. How does blocking a browser from accessing PayPal’s legitimate site stop phishing?
A. It doesn’t.
PayPal just wants to teach everyone a lesson. Well, they just might get a costly one themselves instead.
This is all about Safari for Windows, not for Mac. Mac users have the Keychain. If you’re on a phishing site (a malevolent site masquerading as a legitimate site in order to steal your valuable info), your Keychain will not compete or autofill your username/password info. Gee, there’s a pretty huge sign that something’s wrong already, huh?
Should Apple add EV SSL to Safari? Maybe, maybe not; regardless it’s really no substitute for users’ common sense. What’s next, anyway, XL SSL? XXL? SuperSized? Puleeze.
If you’re not an idiot, you don’t need a green URL to tell you that you’re secure: When you use a website that handles private or financial information, make sure the website is secure. Look for a lock icon in the upper-right corner of the Safari window. The lock icon means that the website has a certificate signifying to Safari that it’s a legitimate website and that information you exchange with it will be encrypted. Make sure the website’s address begins with “https” (instead of “http”). If the website is not secure, you may have been given a choice between a secure and an insecure connection when logging in to the site. Go back to the page where you logged in and check for a link to a secure login. Even if you don’t plan to view private information, it’s best to use a secure login whenever possible, to ensure that your login information is encrypted.
Digital certificates are used to validate users and hosts on the Internet. When you receive certificates from the internet, you can add them to your keychain (including EV certificates) for quick access to secure websites and other resources. Once a certificate is added, it can be used by other compatible applications.
To add a certificate to a keychain:
1. Drag the certificate file onto the Keychain Access icon or double-click the certificate file (You can also add a certificate to a keychain by choosing File>Import).
2. If you want to view the contents of the certificate before you add it, click View Certificates in the dialog, and then click OK when you are done.
3. Choose a keychain from the pop-up menu and click OK.
4. If you’re asked to provide a name and password, type the name and password for an administrator user on this computer.
PayPal is not your mommy, users need to be responsible for themselves, and EV certificates are a scam designed to extract more money from website operators under the guise of more security. More about that last bit here.
One thing PayPal (and banks, online retailers, software developers, etc.) should keep in mind: Mac users, besides being better educated, also have more disposable income than your average web surfer and our numbers are growing. Block/ignore us at your own peril.
Want a faster, safer and more convenient way to shop online? Try Google Checkout. It’s Safari-compatible.
Google Checkout, here I come.
Didn’t we read this somewhere on MDN relatively recently?
Extended Validation certificates and XSS considered harmful.
Thanks for posting, MDN.
Amazingly enough, nobody here has mentioned exactly how stupid this decision is. So, PayPal claims that, for security reasons, they will block Safari users.
I don’t think any Safari user will switch their browser preference because PayPal now doesn’t accept them. They’ll get Firefox for paypal, and for all other sites they’ll use Safari. This includes all those phishing sites they get to visit after clicking on that ‘PayPal’ link in their e-mail. So, how again did PayPal protect those users from the phishing sites?
EV-SSL certificates are no better than plain-vanilla SSL certificates at this. The point is, phishing sites are much cruder; they collect your data in plain text; no encryption, no security (like they care…). Phishing is successful with the millions of ignorant (inexperienced) web users (grandmas, aunts and other newbees) who have never heard of it and don’t suspect. Take them to a PayPal-looking web-site and they’ll think it’s PayPal. Nothing short of a blaring siren sound and flashing red STOP sign on their screen could indicate to them that they’re at a phishing site. No EV-SSL could ever protect an uneducated user. And an educated one already knows anyway.
Google Checkout is a perfect alternative to PayPal. If your business depends on Mac users’ PayPal transactions, plan your switch very soon.
I can see their point.
But as MDN rightly points out: these EV-certs are a big scam.
I’m just waiting for the day they are going to sell the “super-enhanced EV SSL” certificates, because the “normal EVs” are too innsecure.
I agree that MDN is off the mark on this one. I’ve watched phishing schemes become more and more sophisticated. PayPal is not the enemy here – they have everyone’s best interest in mind. More has to be done. Apple will work it out. Then don’t have a choice if they want to keep their feature set competitive.
nice inflammatory headline. and i can tell they’re not specifically targeting certain browsers like Safari, they’re saying any browser that does not meet their security standards. if the Safari/Webkit people can get the browser to be one of the first to pass the Acid3 test, then they certainly should be focusing on implementing these security measures. security needs to continue to be a priority for Apple and this should be no exception.
also…i love Safari, but i’m not adverse to firing up Camino or Firefox when needed.
I always think about PayPal as the financial equivalent to having a hotmail email address. You can’t afford a real email account.
How does Paypal blocking Safari protect people from phishing? The threat isn’t on Paypal’s site, it is on the phishing sites. Safari will continue to load those sites. Anyone dumb enough to get suckered in the first place, will still get suckered by the fake site.
Sure seems like PayPal is doing little except to grab lots of headlines with this announcement. I have to wonder if PayPal are part of the group behind the EV-SSL scam?
And doesn’t “Extended Validation” sound like someone at Microsoft came up with the name? Why add another confusing version of something which already exists and works? That would be like promoting MSOOXML when you’ve already got OpenDocument… oh wait.
I’m a Firefox user, so this doesn’t directly affect me. But the fact that PayPal is taking this stance has directly resulted in me learning about Google Checkout as an alternative – not, I suspect, the result they were aiming for.
Asmodeus, I second your comment. eBay is full of rip-offs except for companies with good track records. After having been taken more than once with eBay purchases I only buy locally from Craigslist posts or established companies, and I never use PayPal.
“Hey, dis here Paypal won’t let me on dere site. Guess I gotta go to dat other one, Paypall, cuz dey always take my credit card.”
Makes sense, Paypal, keep them off your site as a way to keep them off fake Paypal sites.
Idiots.
Here is some information on why EV SSL doesn’t mean much:
http://www.usablesecurity.org/papers/jackson.pdf
@Ron
“” Make sure the website’s address begins with “https” (instead of “http”). If the website is not secure, you may have been given a choice between a secure and an insecure connection when logging in to the site.”
http://macdailynews.com/index.php/weblog/comments/17020/
So MDN is NOT secure?”
That’s right. Why would MDN need to be secure? No one is entering their financial information here. All we do is read news stories and comment on them. No reason any of that needs to be encrypted.
@Romeodawg
“MDN – your blind mac devotion is off the mark here. Why shouldn’t Safari just make itself a more secure browser? There SHOULD be red/green indicators of page security… Apple is supposed to be the computer friendly company, and I don’t see a lot of new computer users or kids or grandmas looking for an ‘s’ after the ‘http’ in the URL to determine for themselves if a site is safe.
Everything is going online, everything needs to be secure, and Safari should be leading the way in online safety as Apple is leading the way in computer usability.
What is the advantage of NOT being compliant?”
Most grandmas don’t do a lot of online shopping and if they do they’re just as likely to be taken in by a phishing site no matter how many green URLs they see. Kids should not be using credit cards to shop online anyways since they’re not old enough to own a credit card.. If you mean teenagers when you say kids, most of them know to look for the “s” at the end of https and for the lock icon.
As for this EV SSL. It sounds like a scam to me. It’s no more secure then SSL from what I’ve heard. It’s just a Microshaft thing to make websites pay more for perceived security.
ebay makes what it believes is a prudent business decision to protect customers and itself and with utter, brain-dead predictability, MDN labels everyone else an idiot.
You know what they say: You spot it, you got it.
+
+
It is about time that someone holds Apple to security!!! Apple sucks at security!! I say good !!! I use Firefox 3 with “noScripts” to add some safety to surfing. Apple is wide open to cross site scripting and I Frame injection.
Come on Apple get us some security add-ons to Safari. Lift a finger!
+
Ironically, the legitimate PayPal site blocking certain browsers may just make it easier for phishing versions to appear legit. Here’s the typical user thought process that could ensue:
“I got an email that says I need to verify my PayPal account info. But I heard from the nightly news that I’m not supposed to click links in emails. I will open Safari/Firefox and type in http://www.paypal.com Dang! It didn’t work – some weird error I didn’t really read about something not being secure. Well, let’s try the link in that email after all. Oh ok, that worked, no security error. I guess this link is the correct/secure version of PayPal. Ok then, let me type in my login credentials…”
MDN take should read: If you’re stupid enough to use paypal…
Giving a company like PayPal direct access to your financial funds is asking for something bad to happen.
MacDailyNews, quit being so apologist. Safari should provide phishing protection, I almost got phished once, but luckily I was using FireFox at the time.
Ok most people here are blind sheep. Can’t agree with MDN here at all. Safari should have a graphical EV-SSL indicator for users. They should also help block phishing sites. Two basic and easy things to add. WTF does not auto-filling forms do for most people? BS. There should be an indicator. eCommerce is all about trusting a site. Why not have a green glowing circle beside the address bar? This stuff is easy, simple to add, and done the Apple way would be a great addition to migrate people over to Safari.
Love Apple but being in eCommerce myself, shocked Safari hasn’t at least included EV SSL validation.
another misguided car analogy:
if this is true…
“‘In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,’ said PayPal Chief Information Security Officer Michael Barrett,” Naraine reports.”
…well i don’t need PayPal or anybody else (laws) protecting me from myself… there it is then.
(excluding c1, of course.)
@MSR
“MacDailyNews, quit being so apologist. Safari should provide phishing protection, I almost got phished once, but luckily I was using FireFox at the time.”
How would that help? In the article is says that FireFox also doesn’t have this EV SSL thing anymore then Safari does. Right now it sounds like Safari and FireFox are doing the same thing to help protect you from Phishing, nothing.
I still don’t think Safari needs this. The people who are likely to get taken in by Phishing are not likely to understand what the green URL means anyway and the rest of us are not likely to be taken in, in the first place. However, I imagine that Apple will add this to Safari eventually if it’s an open standard they don’t have to pay to license.
If Safari HAD EV-SSL and IE7 DIDN’T:
MDN’s Title would be: “Paypal plans on blocking IE7 users, Mac Safari users safe.”
Then you’d see about 100 links about how insecure IE7 is and how you should switch to Safari if you want a secure browsing experience.
You guys are a bunch of Pharisees.
Paypal!?!?!
You’re screwed if you use Paypal, anyway you look at it.
No big loss there.
Wouldn’t use Paypal sitting in the middle of Fort Knox.
I avoid PayPal anyway. What buffoons!
Strange how they announce this just aI start getting marketing email from Paypal… maybe someone somewhere said you cannot say don’t access paypal from email… you have to make that bit secure.
As others have so correctly pointed out this doesn’t make any difference to security as the phishing sites are not exactly going to say “Sorry you are using safari so we don’t want your personal details” Please try again using firefox!”
Lame lame lame.