PDA

View Full Version : PayPal to block users with old browsers, warns against Safar...


Piarco
Apr 18, 2008, 07:17 AM
I think I remember the folks at PayPal bemoaning Safari's apparent lack of security, but an active block due to the lack of Extended Validation SSL Certificates in Safari?

BBC Link (http://news.bbc.co.uk/1/hi/technology/7354539.stm)

Is this going to force Apple to add them to Safari if this is the start of a trend?

::Lisa::
Apr 18, 2008, 07:29 AM
Will I be the first person here to state that I think this is ridiculous?

I mean I do not need my browser address bar to glow neon green to know whether a site is none-phising or not! I would not even want my browser to do that really neither. Maybe that is just me?

I would consider myself to be web aware. It only takes 2 seconds to hover over the link and tell, and besides most of these emails have such bad grammar people can tell a mile off! LOL. The likes of my husband though, I would not even trust him with a PayPal account. He is the type of person to do that.

I think "blocking" is a bit of a harsh tactic. I mean think about it. You cannot use PayPal, you do not know why, then you accidentally come across a phising PayPal page. You then probably think that is real PayPal (because 'real' PayPal blocked you) and then enter your info. I can see that happening. Maybe all they need is a warning when logging in, similar to what you get when you have a resolution case open, stating that your browser is unsafe and linking to why.

Erwin-Br
Apr 18, 2008, 07:32 AM
Maybe it'll push Apple to take action. Not only does Safari lack anti-phishing support, it also doesn't handle evssl-certificates. Safari isn't the number one browser when it comes to safety, while safery has always been one of the spearheads of Apple's campaign against Microsoft.

--Erwin

Kilamite
Apr 18, 2008, 07:44 AM
I try to avoid PayPal as much as I can.

If they block Safari, that'll be a big customer base they'll be pissing off.

macamatic
Apr 18, 2008, 07:55 AM
I don't know why PayPal are bothering that much - it doesn't ever seem to be PayPal that end up out of pocket but their innocent customers instead.

superleccy
Apr 18, 2008, 08:04 AM
Is Safari REALLY as unsafe as PayPal says?

If "Extended Validation SSL Certificates" are so great, then why doesn't Safari support them?

Does PayPal think that Firefox is a 'Safe" browser?

SL

nick9191
Apr 18, 2008, 08:07 AM
Not that big a deal, you can download firefox, although Safari is much better imo.

cw2k7
Apr 18, 2008, 09:35 AM
Maybe it'll push Apple to take action. Not only does Safari lack anti-phishing support, it also doesn't handle evssl-certificates. Safari isn't the number one browser when it comes to safety, while safery has always been one of the spearheads of Apple's campaign against Microsoft.

--Erwin

EV SSL certificates are only as secure as the site using them. The EV SSL certificates can cause people to lower their guard as it's sounds like it's more secure and so they authorise things they would normally be wary of.

It's already been shown how a compromised site can display a valid EV SSL certificate while allowing cross-site scripts to be injected into a site.

Sourceforge was one of the EV SSL sites that had a flaw that allowed a cross-site script to be injected while still showing the green EV SSL approved address bar.

clevin
Apr 18, 2008, 09:54 AM
1. I wouldn't make judgment until I see the fact that paypal does this
2. Its a simple function, there is no reason to defending a position that's out of touch of the normal users, they need it, and thats end of story. You are well-informed enough that you don't need it? good for you. But you don't represent the majority of users
3. Firefos IS a safe browser.

The EV SSL certificates can cause people to lower their guard as it's sounds like it's more secure and so they authorise things they would normally be wary of.
I don't get this, for this type of logic, cars make people not want to walk and be healthy; lifesaver might give users too much false security since it might has a small hole somewhere and sinks in the ocean.

Its just so unreasonable to focus on 1% of exception and ignore the 99% of benefits. Nothing is perfect, I would be first to admit that, but get real and be honest.

If "Extended Validation SSL Certificates" are so great, then why doesn't Safari support them?
you can't be telling me that "anything apple doesn't use is bad or worthless"? aren't you?

wrldwzrd89
Apr 18, 2008, 09:56 AM
EV SSL certificates are only as secure as the site using them. The EV SSL certificates can cause people to lower their guard as it's sounds like it's more secure and so they authorise things they would normally be wary of.

It's already been shown how a compromised site can display a valid EV SSL certificate while allowing cross-site scripts to be injected into a site.

Sourceforge was one of the EV SSL sites that had a flaw that allowed a cross-site script to be injected while still showing the green EV SSL approved address bar.
I use Firefox 2.0.0.14 for PayPal-related stuff; does this issue even affect me at all?

That said, I have to agree with cw2k7 here - EV SSL is an improvement, but certainly not a perfect solution.

superleccy
Apr 18, 2008, 10:12 AM
you can't be telling me that "anything apple doesn't use is bad or worthless"? aren't you?

No, it was a serious question. If there was a tone of sarcasm in there it wasn't intentional.

SL

clevin
Apr 18, 2008, 10:19 AM
No, it was a serious question. If there was a tone of sarcasm in there it wasn't intentional.
SL

Sorry I might wake up on the wrong side of the bed this morning....:(

if its not sarcastic question, then its a great question we all should be asking, why?

I understand there were codes within webkit that are related to anti-phishing, it was planned function for safari 3 and was canceled eventually.

I don't think there is any difficulty in implementing this at all.

Two possibility I can think of

1. Apple is not aware of the seriousness of phishing development in recent years and think its not of great importance

2. Apple has trouble dealing with Security check providers for various reasons.

But for whatever reason, I hope next safari will have this. Users sure should educate themselves to be on high guard, but phishing, is quite serious at times, and self-education sometimes might just not enough.

Erwin-Br
Apr 18, 2008, 11:48 AM
I try to avoid PayPal as much as I can.

If they block Safari, that'll be a big customer base they'll be pissing off.

I try to use PayPal as much as I can. Not because I think they are great (far from it), but because I hate to re-enter my credit card information for every on-line retailer I do business with. Plus, more importantly, I don't want to leave my sensitive credit card information all over the place. Only PayPal has it, and I feel much safer about that. Think about it.

If you don't buy on-line a lot, I guess you could live without PayPal. Most retailers have the possibility to provide them with your credit card info directly on their site. If that's safe depends on the retailer, of course.

--Erwin

ltldrummerboy
Apr 18, 2008, 11:51 AM
The way I understood it was that they were blocking very old browsers. They only warned against Safari. Here's the article that I read.

http://www.pcworld.com/businesscenter/article/144813/paypal_to_block_users_with_old_browsers_.html

dejo
Apr 18, 2008, 01:23 PM
Two possibility I can think of

1. Apple is not aware of the seriousness of phishing development in recent years and think its not of great importance

2. Apple has trouble dealing with Security check providers for various reasons.
Here's a third possibility I can think of:

Apple is aware of the seriousness of phishing and has no trouble dealing with the security check providers but realizes that the phishers are very clever and whatever methods Apple puts in to stop them, the phishers will try to find ways around them. This ends up becoming a never-ending, escalating "arms war". Instead, Apple is developing ways to educate their users as to the dangers of phishing and will provide such education in a future browser update.

'Course I'm just guessing, same as you. :)

clevin
Apr 18, 2008, 01:26 PM
Here's a third possibility I can think of:

'Course I'm just guessing, same as you. :)

whatever, its fine you just want to argue, if you think that helps anybody, go for it. :)

dejo
Apr 18, 2008, 02:02 PM
whatever, its fine you just want to argue, if you think that helps anybody, go for it. :)
Who said I just want to argue? I don't. I thought I would just provide another possibility from a different perspective. I'm sure there are even more than just these three. And you must admit that your possibilities are just as much guesses as mine are, since neither of us works for the Webkit/Safari team.

clevin
Apr 18, 2008, 02:12 PM
And you must admit that your possibilities are just as much guesses as mine are, since neither of us works for the Webkit/Safari team.

really? for a browser of 2-3% marketshare globally, what makes you think if apple implements an anti-phishing measure, phishing makers will give a *** ?

dejo
Apr 18, 2008, 02:25 PM
really? for a browser of 2-3% marketshare globally, what makes you think if apple implements an anti-phishing measure, phishing makers will give a *** ?
:confused: Huh? I'm not even sure how you came to this question based on what you were quoting. But I'll address it anyways:

Presumably because these anti-phishing measures will be the same as all the other 'safe' browsers are using, i.e. Extended Validation SSL Certificates. Remember that's what started this thread.

clevin
Apr 18, 2008, 02:29 PM
well, you were the one saying that apple is afraid that if it adds anti-phishing measure to safari, phishing makers will get more "cleverer".:confused:

but realizes that the phishers are very clever and whatever methods Apple puts in to stop them, the phishers will try to find ways around them.

Im just asking, does apple adding "whatever methods" have any impact on phishing makers at all? with 2-3% market share?

PS. EV is not what started this thread, "anti-phishing" is, and anti-phishing != EV.

gnasher729
Apr 18, 2008, 02:30 PM
Will I be the first person here to state that I think this is ridiculous?

It is. It is ridiculous because accessing PayPal with an unsafe browser is not unsafe. Accessing something that _looks_ like PayPal but isn't, that is the problem, and blocking an unsafe browser from the PayPal website doesn't stop this problem. The logic is: If PayPal is blocking your access, then you are at the PayPal site, and therefore there is no phishing happening right now.

Any criminals that managed to get your PayPal account details through whatever means will obviously use what PayPal calls a "safe" browser to empty your account.

clevin
Apr 18, 2008, 02:34 PM
blocking an unsafe browser from the PayPal website doesn't stop this problem.

you are right!:eek: hehe,

But after the revelation that paypal is only blocking ancient browsers, this might not be anti-phishing related afterall, maybe just SSL, TLS related.

superleccy
Apr 18, 2008, 02:36 PM
The logic is: If PayPal is blocking your access, then you are at the PayPal site, and therefore there is no phishing happening right now.
Exactly. If the site you think is PayPal is blocking you, then it must be PayPal. See... no need for anti-phishing measures! :D

SL

clevin
Apr 18, 2008, 02:38 PM
Exactly. If the site you think is PayPal is blocking you, then it must be PayPal. See... no need for anti-phishing measures! :D

SL

nonononono, anti-phishing measure is for, when you visit a site looks like paypal, but actually is not.

really, eventually normal users gonna need this, and if safari doesn't offer it, there are other browsers with total 97% of market share they can pick...

dejo
Apr 18, 2008, 02:50 PM
Im just asking, does apple adding "whatever methods" have any impact on phishing makers at all? with 2-3% market share?
But if those methods are the same methods that the other 97% of the browser market are using, then, yes, it does impact the phising makers.
PS. EV is not what started this thread, "anti-phishing" is, and anti-phishing != EV.
Um, let me quote the first post in this thread:
I think I remember the folks at PayPal bemoaning Safari's apparent lack of security, but an active block due to the lack of Extended Validation SSL Certificates in Safari?
And let me also quote the BBC article linked to in the first post:
Paypal said it supported the use of Extended Validation SSL Certificates. Browsers which support the technology highlight the address bar in green when users are on a site that has been deemed legitimate.
The latest version of Internet Explorer support EV SSL certificates, while Firefox 2 supports it with an add-on but Apple's Safari browser for Mac and PCs does not.
To me, EV is what started this thread.

And P.S. yes, now I just want to argue. :D

clevin
Apr 18, 2008, 02:58 PM
But if those methods are the same methods that the other 97% of the browser market are using, then, yes, it does impact the phising makers.

Um, let me quote the first post in this thread:

And let me also quote the BBC article linked to in the first post:

To me, EV is what started this thread.

And P.S. yes, now I just want to argue. :D

i knew it!

no, if 97% already has it, add 2-3% more doesn't change any situation for phishing makers. if you believe in common sense.

OP's word is a guessing and question, evident by a question mark.

you distorted BBC's report, EV support and mentioning of safari is not in the same section, and paypal said clearly they are blocking IE3, IE4, in that section, nothing about safari was mentioned.

dejo
Apr 18, 2008, 03:09 PM
EV support and mentioning of safari is not in the same section
Dude, it's in the same ****ing sentence!

The latest version of Internet Explorer support EV SSL certificates, while Firefox 2 supports it with an add-on but Apple's Safari browser for Mac and PCs does not.

MacBytes
Apr 18, 2008, 03:29 PM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Apple Software
Link: PayPal to block users with old browsers, warns against Safari. (http://www.macbytes.com/link.php?sid=20080418162953)
Description:: PayPal suggests IE7, Firefox, or Opera.

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

quagmire
Apr 18, 2008, 03:32 PM
At a time where Apple is gaining ground in the market, PayPal decides to cut off support? Stupid, stupid, and further more stupid.

clevin
Apr 18, 2008, 03:47 PM
Dude, it's in the same ****ing sentence!

The latest version of Internet Explorer support EV SSL certificates, while Firefox 2 supports it with an add-on but Apple's Safari browser for Mac and PCs does not.

Dude, is that how you read the article?

Safari lack of EV support is a comment from BBC, as well as from paypal, but it is not the target paypal indicate that is going to be blocked, those are IE3 and 4.

Web payment firm Paypal has said it will block "unsafe browsers" from using its service as part of wider anti-phishing efforts.

Customers will first be warned that a browser is unsafe but could then be blocked if they continue using it.

Paypal said it was "an alarming fact that there is a significant set of users who use very old and vulnerable browsers such as Internet Explorer 4".

Phishing attacks trick users into handing over sensitive data.

Paypal said some users were still using Internet Explorer 3 , released more than 10 years ago. It lacks many of the security and safety features needed to protect users from phishing and other online attacks.

Legitimate sites

Paypal said it supported the use of Extended Validation SSL Certificates. Browsers which support the technology highlight the address bar in green when users are on a site that has been deemed legitimate.

The latest version of Internet Explorer support EV SSL certificates, while Firefox 2 supports it with an add-on but Apple's Safari browser for Mac and PCs does not.

"By displaying the green glow and company name, these newer browsers make it much easier for users to determine whether or not they're on the site that they thought they were visiting," said Paypal.

The steps were outlined in a white paper on managing phishing, written by the firm's chief information security officer Michael Barrett and Dan Levy, director of risk management.

In it, they said: "In our view letting users view the PayPal site on [an unsafe] browser is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts."

Paypal described the battle against phishing as a "fast-moving chess match with the criminal community".

As indicated by several people including me previously, paypal's blocking of unsafe browsers, probably has nothing to do with EV and safari. at all. don't let speculation get out of hand!

ltldrummerboy
Apr 18, 2008, 03:47 PM
How easy would it be for Apple to add a phishing filter to Safari? This seems to be the only gripe that PayPal has with it.

Edit: Safari also doesn't support SSL.
Edit #2: Safari does support SSL. But it doesn't support EVSSL, if you're into acronyms.

clevin
Apr 18, 2008, 03:52 PM
How easy would it be for Apple to add a phishing filter to Safari? This seems to be the only gripe that PayPal has with it.

Edit: Safari also doesn't support SSL.

are you serious?

PS, I reiterate my strong urge for apple to implement anti-phishing measure to improve more about safari's security.

But also, I don't think this blocking of unsafe browsers has much to do with EV support. now SSL is a different problem, but I think safari does support SSL.

superleccy
Apr 18, 2008, 04:06 PM
nonononono, anti-phishing measure is for, when you visit a site looks like paypal, but actually is not.
It was supposed to be a joke. Admittedly, a half-assed one...

really, eventually normal users gonna need this, and if safari doesn't offer it, there are other browsers with total 97% of market share they can pick...
Agreed.

SL

TEG
Apr 18, 2008, 04:08 PM
Safari supports SSL, as does nearly every browser on the market.

Anti-phishing is a retarded thing to push.

TEG

mcmarks
Apr 18, 2008, 04:16 PM
Edit: Safari also doesn't support SSL.

Yes, Safari DOES support SSL aka Secure Sockets Layer. That's the secure communication between your browser and a web site that causes the little padlock to be displayed.

What Safari doesn't have is Extended Validation SSL (sometimes referred to as EV). So, what. It doesn't stop phishing. It's just more money that businesses have to pay for certificates from certifying authorities. There's an article on Wikipedia that ends with a discussion about how a study of IE 7 with EV support showed that it didn't stop users from going to phishing sites any more often than without an EV browser.

Plus, they didn't say that PayPal was going to block Safari. They're just going to give you a warning. Go ahead, warn away.

Krevnik
Apr 18, 2008, 04:16 PM
are you serious?

PS, I reiterate my strong urge for apple to implement anti-phishing measure to improve more about safari's security.

But also, I don't think this blocking of unsafe browsers has much to do with EV support. now SSL is a different problem, but I think safari does support SSL.

Considering the problem I had trying to setup a personal certificate to use SSL on my home server? Yeah, it supports it. It complains to no end if you screw up the certificate in any small way as well. I can't even access yourdomain.com when the cert is signed for subdomain.yourdomain.com. :P

CTYankee
Apr 18, 2008, 04:40 PM
I like what Bank of America does. You log in using your user ID. It then shows you a 'site key' that you selected. Its just a small image or icon. You enter your password below. This way there is a visual prompt, that only you (should) recognize. If its not there...WARNING!!

Is that so hard to implement or too easy to spoof?

dejo
Apr 18, 2008, 04:46 PM
As indicated by several people including me previously, paypal's blocking of unsafe browsers, probably has nothing to do with EV and safari. at all.
I wonder why it's even mentioned then.

bigandy
Apr 18, 2008, 05:03 PM
Can't we just ban idiots from the internet?

That'll stop all the problems.

bobdgil
Apr 18, 2008, 09:32 PM
Even if, unlikely as it is, Pay-Pal blocks Safari, I don't see how it's anything more than a small inconvenience. If you are a diehard Safari user, you probably have the Debug/Develop menu enabled. Just set your user agent to something Pay-Pal allows (I presume this would work)... or download firefox. Mac users would still have plenty of options.

clevin
Apr 18, 2008, 09:47 PM
Can't we just ban idiots from the internet?

That'll stop all the problems.

if "idiots" blocker is easier than phishing blocker, go ahead.;)

Just set your user agent to something Pay-Pal allows (I presume this would work)..UA spoof isn't always working

bobdgil
Apr 18, 2008, 09:55 PM
UA spoof isn't always working
It usually works in cases in which the website specifically doesn't allow Safari to try to load it. Cases in which it doesn't work are usually compatibility issues. I'd presume that as Pay-Pal currently works in Safari, they wouldn't engineer their site so that Safari would be incompatible with it. I would think they would just filter by user agent.

ltldrummerboy
Apr 18, 2008, 11:30 PM
Sorry, I didn't know the difference between SSL and extended validation SSL. I still don't think PayPal is planning on blocking Safari, they're just advising against using it.

latergator116
Apr 18, 2008, 11:38 PM
I think Safari should block PayPal instead since they're a bunch of crooks.

gerardrj
Apr 20, 2008, 11:12 PM
If we can't get users to understand that they should not click links in email, then what hope do we have of getting them to understand that a green address bar might or might not mean the sight is legitimate?

What I mean is that since SV SSL takes significant effort by the web site, that not all sites will implement it. So the address bar might not be green but still be legit.

PayPal should implement a simple policy of education. Send out monthly emails to every account holder stating "do not click financial related links in your email messages". And place a similar line at the top of every displayed web page.
An account holder can opt out of these by clicking that they understand the issue and choose to no longer be reminded.


You can't solve a social ignorance issue with technology, it takes education.