Go Back   MacRumors Forums > Archive > Archives of Old Posts > MacBytes.com News Discussion

 
 
Thread Tools Search this Thread Display Modes
Old Apr 18, 2008, 07:17 AM   #1
Piarco
macrumors 68030
 
Piarco's Avatar
 
Join Date: Jun 2004
Location: Londinium
PayPal to block unsafe browsers.... like Safari?

I think I remember the folks at PayPal bemoaning Safari's apparent lack of security, but an active block due to the lack of Extended Validation SSL Certificates in Safari?

BBC Link

Is this going to force Apple to add them to Safari if this is the start of a trend?
Piarco is offline   0
Old Apr 18, 2008, 07:29 AM   #2
::Lisa::
macrumors 6502a
 
::Lisa::'s Avatar
 
Join Date: Oct 2007
Location: Nottingham, UK
Will I be the first person here to state that I think this is ridiculous?

I mean I do not need my browser address bar to glow neon green to know whether a site is none-phising or not! I would not even want my browser to do that really neither. Maybe that is just me?

I would consider myself to be web aware. It only takes 2 seconds to hover over the link and tell, and besides most of these emails have such bad grammar people can tell a mile off! LOL. The likes of my husband though, I would not even trust him with a PayPal account. He is the type of person to do that.

I think "blocking" is a bit of a harsh tactic. I mean think about it. You cannot use PayPal, you do not know why, then you accidentally come across a phising PayPal page. You then probably think that is real PayPal (because 'real' PayPal blocked you) and then enter your info. I can see that happening. Maybe all they need is a warning when logging in, similar to what you get when you have a resolution case open, stating that your browser is unsafe and linking to why.
__________________
Lisa likes to get nekkid! Meeting at Regent St Apple store sOOn
::Lisa:: is offline   0
Old Apr 18, 2008, 07:32 AM   #3
Erwin-Br
macrumors 6502a
 
Join Date: Feb 2008
Location: The Netherlands
Maybe it'll push Apple to take action. Not only does Safari lack anti-phishing support, it also doesn't handle evssl-certificates. Safari isn't the number one browser when it comes to safety, while safery has always been one of the spearheads of Apple's campaign against Microsoft.

--Erwin
__________________
Mac Pro - 2x 2.8GHz Quad Core Xeon, 16GB, 8800GT Mac Mini - 1.83GHz Intel Core 2 Duo, 1GB iPod Touch - Gen 2, 16 GB
Erwin-Br is offline   0
Old Apr 18, 2008, 07:44 AM   #4
Kilamite
macrumors G3
 
Kilamite's Avatar
 
Join Date: Mar 2007
Location: Scotland
I try to avoid PayPal as much as I can.

If they block Safari, that'll be a big customer base they'll be pissing off.
__________________
15" MacBook Pro 2GHz i7 8GB 750GB Hybrid | Mac mini 2.3GHz i7 16GB 1TB Fusion | OS X 10.10
iPhone 5 64GB | Apple TV 3 1080p | iOS 8.1
Home Theatre Hackintosh i3 3.5GHz 4GB 3TB | OS X 10.9
Kilamite is offline   0
Old Apr 18, 2008, 07:55 AM   #5
macamatic
Banned
 
Join Date: Apr 2008
Location: Richmond, UK
I don't know why PayPal are bothering that much - it doesn't ever seem to be PayPal that end up out of pocket but their innocent customers instead.
macamatic is offline   0
Old Apr 18, 2008, 08:04 AM   #6
superleccy
macrumors 6502a
 
superleccy's Avatar
 
Join Date: Oct 2004
Location: That there big London
Is Safari REALLY as unsafe as PayPal says?

If "Extended Validation SSL Certificates" are so great, then why doesn't Safari support them?

Does PayPal think that Firefox is a 'Safe" browser?

SL
__________________
2009 15" MBP: 2.66GHz C2D; 8GB RAM; 500GB SSD; 9600M GT; 20" Cinema Disp.
Switched Nov '04.
superleccy is offline   0
Old Apr 18, 2008, 08:07 AM   #7
nick9191
macrumors 68040
 
Join Date: Feb 2008
Location: Britain
Not that big a deal, you can download firefox, although Safari is much better imo.
nick9191 is offline   0
Old Apr 18, 2008, 09:35 AM   #8
cw2k7
macrumors member
 
Join Date: Jan 2008
Quote:
Originally Posted by Erwin-Br View Post
Maybe it'll push Apple to take action. Not only does Safari lack anti-phishing support, it also doesn't handle evssl-certificates. Safari isn't the number one browser when it comes to safety, while safery has always been one of the spearheads of Apple's campaign against Microsoft.

--Erwin
EV SSL certificates are only as secure as the site using them. The EV SSL certificates can cause people to lower their guard as it's sounds like it's more secure and so they authorise things they would normally be wary of.

It's already been shown how a compromised site can display a valid EV SSL certificate while allowing cross-site scripts to be injected into a site.

Sourceforge was one of the EV SSL sites that had a flaw that allowed a cross-site script to be injected while still showing the green EV SSL approved address bar.
cw2k7 is offline   0
Old Apr 18, 2008, 09:54 AM   #9
clevin
macrumors G3
 
clevin's Avatar
 
Join Date: Aug 2006
1. I wouldn't make judgment until I see the fact that paypal does this
2. Its a simple function, there is no reason to defending a position that's out of touch of the normal users, they need it, and thats end of story. You are well-informed enough that you don't need it? good for you. But you don't represent the majority of users
3. Firefos IS a safe browser.

Quote:
The EV SSL certificates can cause people to lower their guard as it's sounds like it's more secure and so they authorise things they would normally be wary of.
I don't get this, for this type of logic, cars make people not want to walk and be healthy; lifesaver might give users too much false security since it might has a small hole somewhere and sinks in the ocean.

Its just so unreasonable to focus on 1% of exception and ignore the 99% of benefits. Nothing is perfect, I would be first to admit that, but get real and be honest.

Quote:
If "Extended Validation SSL Certificates" are so great, then why doesn't Safari support them?
you can't be telling me that "anything apple doesn't use is bad or worthless"? aren't you?
clevin is offline   0
Old Apr 18, 2008, 09:56 AM   #10
wrldwzrd89
macrumors G4
 
wrldwzrd89's Avatar
 
Join Date: Jun 2003
Location: Solon, OH
Quote:
Originally Posted by cw2k7 View Post
EV SSL certificates are only as secure as the site using them. The EV SSL certificates can cause people to lower their guard as it's sounds like it's more secure and so they authorise things they would normally be wary of.

It's already been shown how a compromised site can display a valid EV SSL certificate while allowing cross-site scripts to be injected into a site.

Sourceforge was one of the EV SSL sites that had a flaw that allowed a cross-site script to be injected while still showing the green EV SSL approved address bar.
I use Firefox 2.0.0.14 for PayPal-related stuff; does this issue even affect me at all?

That said, I have to agree with cw2k7 here - EV SSL is an improvement, but certainly not a perfect solution.
__________________
iMac Intel (Rev H, 27"), 1TB HDD, 16GB RAM, 10.8.4
wrldwzrd89 is offline   0
Old Apr 18, 2008, 10:12 AM   #11
superleccy
macrumors 6502a
 
superleccy's Avatar
 
Join Date: Oct 2004
Location: That there big London
Quote:
Originally Posted by clevin View Post
you can't be telling me that "anything apple doesn't use is bad or worthless"? aren't you?
No, it was a serious question. If there was a tone of sarcasm in there it wasn't intentional.

SL
__________________
2009 15" MBP: 2.66GHz C2D; 8GB RAM; 500GB SSD; 9600M GT; 20" Cinema Disp.
Switched Nov '04.
superleccy is offline   0
Old Apr 18, 2008, 10:19 AM   #12
clevin
macrumors G3
 
clevin's Avatar
 
Join Date: Aug 2006
Quote:
Originally Posted by superleccy View Post
No, it was a serious question. If there was a tone of sarcasm in there it wasn't intentional.
SL
Sorry I might wake up on the wrong side of the bed this morning....

if its not sarcastic question, then its a great question we all should be asking, why?

I understand there were codes within webkit that are related to anti-phishing, it was planned function for safari 3 and was canceled eventually.

I don't think there is any difficulty in implementing this at all.

Two possibility I can think of

1. Apple is not aware of the seriousness of phishing development in recent years and think its not of great importance

2. Apple has trouble dealing with Security check providers for various reasons.

But for whatever reason, I hope next safari will have this. Users sure should educate themselves to be on high guard, but phishing, is quite serious at times, and self-education sometimes might just not enough.
clevin is offline   0
Old Apr 18, 2008, 11:48 AM   #13
Erwin-Br
macrumors 6502a
 
Join Date: Feb 2008
Location: The Netherlands
Quote:
Originally Posted by Kilamite View Post
I try to avoid PayPal as much as I can.

If they block Safari, that'll be a big customer base they'll be pissing off.
I try to use PayPal as much as I can. Not because I think they are great (far from it), but because I hate to re-enter my credit card information for every on-line retailer I do business with. Plus, more importantly, I don't want to leave my sensitive credit card information all over the place. Only PayPal has it, and I feel much safer about that. Think about it.

If you don't buy on-line a lot, I guess you could live without PayPal. Most retailers have the possibility to provide them with your credit card info directly on their site. If that's safe depends on the retailer, of course.

--Erwin
__________________
Mac Pro - 2x 2.8GHz Quad Core Xeon, 16GB, 8800GT Mac Mini - 1.83GHz Intel Core 2 Duo, 1GB iPod Touch - Gen 2, 16 GB
Erwin-Br is offline   0
Old Apr 18, 2008, 11:51 AM   #14
ltldrummerboy
macrumors 68000
 
ltldrummerboy's Avatar
 
Join Date: Oct 2007
The way I understood it was that they were blocking very old browsers. They only warned against Safari. Here's the article that I read.

http://www.pcworld.com/businesscente...browsers_.html
__________________
"Stay hungry, stay foolish."
-Steve Jobs
ltldrummerboy is offline   0
Old Apr 18, 2008, 01:23 PM   #15
dejo
Moderator
 
dejo's Avatar
 
Join Date: Sep 2004
Location: The Centennial State
Quote:
Originally Posted by clevin View Post
Two possibility I can think of

1. Apple is not aware of the seriousness of phishing development in recent years and think its not of great importance

2. Apple has trouble dealing with Security check providers for various reasons.
Here's a third possibility I can think of:

Apple is aware of the seriousness of phishing and has no trouble dealing with the security check providers but realizes that the phishers are very clever and whatever methods Apple puts in to stop them, the phishers will try to find ways around them. This ends up becoming a never-ending, escalating "arms war". Instead, Apple is developing ways to educate their users as to the dangers of phishing and will provide such education in a future browser update.

'Course I'm just guessing, same as you.
dejo is offline   0
Old Apr 18, 2008, 01:26 PM   #16
clevin
macrumors G3
 
clevin's Avatar
 
Join Date: Aug 2006
Quote:
Originally Posted by dejo View Post
Here's a third possibility I can think of:

'Course I'm just guessing, same as you.
whatever, its fine you just want to argue, if you think that helps anybody, go for it.
clevin is offline   0
Old Apr 18, 2008, 02:02 PM   #17
dejo
Moderator
 
dejo's Avatar
 
Join Date: Sep 2004
Location: The Centennial State
Quote:
Originally Posted by clevin View Post
whatever, its fine you just want to argue, if you think that helps anybody, go for it.
Who said I just want to argue? I don't. I thought I would just provide another possibility from a different perspective. I'm sure there are even more than just these three. And you must admit that your possibilities are just as much guesses as mine are, since neither of us works for the Webkit/Safari team.
dejo is offline   0
Old Apr 18, 2008, 02:12 PM   #18
clevin
macrumors G3
 
clevin's Avatar
 
Join Date: Aug 2006
Quote:
Originally Posted by dejo View Post
And you must admit that your possibilities are just as much guesses as mine are, since neither of us works for the Webkit/Safari team.
really? for a browser of 2-3% marketshare globally, what makes you think if apple implements an anti-phishing measure, phishing makers will give a *** ?

Last edited by clevin; Apr 18, 2008 at 02:17 PM.
clevin is offline   0
Old Apr 18, 2008, 02:25 PM   #19
dejo
Moderator
 
dejo's Avatar
 
Join Date: Sep 2004
Location: The Centennial State
Quote:
Originally Posted by clevin View Post
really? for a browser of 2-3% marketshare globally, what makes you think if apple implements an anti-phishing measure, phishing makers will give a *** ?
Huh? I'm not even sure how you came to this question based on what you were quoting. But I'll address it anyways:

Presumably because these anti-phishing measures will be the same as all the other 'safe' browsers are using, i.e. Extended Validation SSL Certificates. Remember that's what started this thread.
dejo is offline   0
Old Apr 18, 2008, 02:29 PM   #20
clevin
macrumors G3
 
clevin's Avatar
 
Join Date: Aug 2006
well, you were the one saying that apple is afraid that if it adds anti-phishing measure to safari, phishing makers will get more "cleverer".

Quote:
but realizes that the phishers are very clever and whatever methods Apple puts in to stop them, the phishers will try to find ways around them.
Im just asking, does apple adding "whatever methods" have any impact on phishing makers at all? with 2-3% market share?

PS. EV is not what started this thread, "anti-phishing" is, and anti-phishing != EV.
clevin is offline   0
Old Apr 18, 2008, 02:30 PM   #21
gnasher729
macrumors G5
 
gnasher729's Avatar
 
Join Date: Nov 2005
Quote:
Originally Posted by ::Lisa:: View Post
Will I be the first person here to state that I think this is ridiculous?
It is. It is ridiculous because accessing PayPal with an unsafe browser is not unsafe. Accessing something that _looks_ like PayPal but isn't, that is the problem, and blocking an unsafe browser from the PayPal website doesn't stop this problem. The logic is: If PayPal is blocking your access, then you are at the PayPal site, and therefore there is no phishing happening right now.

Any criminals that managed to get your PayPal account details through whatever means will obviously use what PayPal calls a "safe" browser to empty your account.
gnasher729 is online now   0
Old Apr 18, 2008, 02:34 PM   #22
clevin
macrumors G3
 
clevin's Avatar
 
Join Date: Aug 2006
Quote:
Originally Posted by gnasher729 View Post
blocking an unsafe browser from the PayPal website doesn't stop this problem.
you are right! hehe,

But after the revelation that paypal is only blocking ancient browsers, this might not be anti-phishing related afterall, maybe just SSL, TLS related.
clevin is offline   0
Old Apr 18, 2008, 02:36 PM   #23
superleccy
macrumors 6502a
 
superleccy's Avatar
 
Join Date: Oct 2004
Location: That there big London
Quote:
Originally Posted by gnasher729 View Post
The logic is: If PayPal is blocking your access, then you are at the PayPal site, and therefore there is no phishing happening right now.
Exactly. If the site you think is PayPal is blocking you, then it must be PayPal. See... no need for anti-phishing measures!

SL
__________________
2009 15" MBP: 2.66GHz C2D; 8GB RAM; 500GB SSD; 9600M GT; 20" Cinema Disp.
Switched Nov '04.
superleccy is offline   0
Old Apr 18, 2008, 02:38 PM   #24
clevin
macrumors G3
 
clevin's Avatar
 
Join Date: Aug 2006
Quote:
Originally Posted by superleccy View Post
Exactly. If the site you think is PayPal is blocking you, then it must be PayPal. See... no need for anti-phishing measures!

SL
nonononono, anti-phishing measure is for, when you visit a site looks like paypal, but actually is not.

really, eventually normal users gonna need this, and if safari doesn't offer it, there are other browsers with total 97% of market share they can pick...
clevin is offline   0
Old Apr 18, 2008, 02:50 PM   #25
dejo
Moderator
 
dejo's Avatar
 
Join Date: Sep 2004
Location: The Centennial State
Quote:
Originally Posted by clevin View Post
Im just asking, does apple adding "whatever methods" have any impact on phishing makers at all? with 2-3% market share?
But if those methods are the same methods that the other 97% of the browser market are using, then, yes, it does impact the phising makers.
Quote:
Originally Posted by clevin View Post
PS. EV is not what started this thread, "anti-phishing" is, and anti-phishing != EV.
Um, let me quote the first post in this thread:
Quote:
Originally Posted by Piarco View Post
I think I remember the folks at PayPal bemoaning Safari's apparent lack of security, but an active block due to the lack of Extended Validation SSL Certificates in Safari?
And let me also quote the BBC article linked to in the first post:
Quote:
Paypal said it supported the use of Extended Validation SSL Certificates. Browsers which support the technology highlight the address bar in green when users are on a site that has been deemed legitimate.
The latest version of Internet Explorer support EV SSL certificates, while Firefox 2 supports it with an add-on but Apple's Safari browser for Mac and PCs does not.
To me, EV is what started this thread.

And P.S. yes, now I just want to argue.
dejo is offline   0


 
MacRumors Forums > Archive > Archives of Old Posts > MacBytes.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
iOS 7 Beta Warns Users When Using Unauthorized Lightning Cables and Accessories MacRumors iOS Blog Discussion 157 Sep 22, 2013 02:23 PM
Safar 6.1 Antoni Nygaard OS X 10.8 Mountain Lion 1 Jun 10, 2013 04:09 PM
Safar Browser replacements - Bigger Better Text on iPad Mini hyteckit iPad Apps 4 Nov 8, 2012 07:25 AM
Safar 6 Becomes Unresponsive, Hogs RAM, CPU ObeseSquirrel OS X 10.8 Mountain Lion 6 Jul 29, 2012 09:35 AM
safar problem araah OS X 10.8 Mountain Lion 3 Jul 26, 2012 08:51 PM

Forum Jump

All times are GMT -5. The time now is 09:12 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC