PayPal recently released a whitepaper during RSA detailing the steps the company will take to curb the large volumes of Phishing attacks, which use the company as a source. One of the steps was browser blocking, which would block browsers that do not support anti-Phishing technology and EVSSL.
PayPal says they will not block Safari...but they have yet to explain what they have against Apple or the browser. (IMG:J.Anderson)
Once the whitepaper started to gain momentum, many people noticed the cause aimed at blocking outdated browsers. The criteria for blocking a browser was listed as outdated browsers and browsers that do not support EVSSL and anti-Phishing. In the past PayPal CTO Michael Barrett has taken issue with Apple’s browser and the whitepaper seemed to take a shot at Safari without naming it.
The connection was made because it is well-known that Safari does not contain anti-Phishing protections or support EVSSL. Neither the OS X release of Safari, nor the Windows release support these features.
Added to that are Barrett’s comments. “Safari has got nothing in terms of security support, only SSL, that's it,” he said. “Apple, unfortunately, is lagging behind what they need to do, to protect their customers. Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera.”
The whitepaper also stated that browsers who do not have these protections (EVSSL and anti-Phishing) are paramount to offering cars without seatbelts.
“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts. At PayPal, we are in the process of re-implementing controls, which will first warn our customers when logging in to PayPal from those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe – usually the oldest – browsers,” the paper reads.
Friday, after people starting attacking PayPal over the browser policy, PayPal issued this statement, “We have absolutely no intention of blocking current versions of any browsers, including Apple's Safari, from our website.” While pointing out that Safari is safe for now, they did not mention when they would start blocking browsers.
There is another issue, PayPal said in their paper that they are looking at older browsers, for example IE 3 and IE 4. Apple only offers security patches and updates to Safari 3.0. The paper states, and PayPal confirms, that the security blocks on browsers are aimed at “obsolete browsers on outdated or unsupported operating systems.”
Safari 2.0 is “supported” in the relation to Tiger still being maintained by Apple. (Tiger is the name for OX S 10.4.) However, technically, because of the lack of Security fixes for Safari 2.0, PayPal could issue a block to that browser. PayPal would not respond to requests for clarification.
RuthApr 21st, 2008 - 20:27:34
I have my anti-phishing turned off in IE. Going to block that? Sounds like an odd reason to block a browser as the feature can be disabled in most browsers.
Report this comment