Safari is too insecure for PayPal and will be blocked … maybe not

paypal_logo.gifPayPal has announced that it will start blocking Safari and older versions of browsers like Firefox and Internet Explorer from accessing the site because these browsers don’t support Extended Validation certificates which require a more detailed verification of the certified site than normal SSL and which should therefore make the site more secure. PayPal requires that browsers accessing its site support EV certificates and unfortunately for Apple, Safari doesn’t quite cut the mustard:

safari-logo-small.png

PayPal’s mentioned that before: in February, Barrett said users should steer clear of Apple’s browser because it wasn’t up to snuff. ‘Apple, unfortunately, is lagging behind what they need to do to protect their customers,’ Barrett said then. ‘Safari has got nothing in terms of security support, only SSL, that’s it.’

I have updated Firefox on my MacBook to Firefox 3 beta and while it doesn’t support many of my add-ons which I used on Firefox 2, the latest version, beta 5, is pretty stable and works well. It also has a really handy indictor of when a site supports EV certificates:

Paypal ev.png

Notice the green bar? That is the key indicator. Safari doesn’t support this feature yet and while I won’t pretend that I appreciate the significance of this (I thought SSL was good enough? Seems to be the case for our banks), I wonder if we will start to see more and more sites using these certificates. Certainly Standard Bank has built up a reputation locally as a pretty tech savvy and security conscious bank so I am curious whether this is an issue for Standard Bank at all?

Update: I just read in Mashable that Safari probably won’t be blocked, just older browser versions:

Au contraire. Ben Worthen of the Wall Street Journal has confirmed through a direct chat with PayPal that Safari folk need not worry about their ability to access the site.


Technorati Tags:
, , , , ,

Paul

Enthusiast, writer, strategist, web developer, and photographer. Passionate about my wife, Gina and #proudDad.

15 Comments

  1. SSL just tells you that the connection between you and that website will be encrypted. It doesn’t tell you much about the actual website you’re connected to. EvilSite.com can get an SSL certificate for less than $100 with little or not background check. With EV Certs (extended validation certificates) the site must go through a more substantial audit and that audit should give you more confidence that you’re connecting to the real PayPal, for example, and not PayyPall (a fictional bad guy site.)

    For EV Certs, the issuers must pass an independent audit and they must all follow the same guidelines when issuing an EV Cert:

    * Establish the legal identity as well as the operational and physical presence of website owner;
    * Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
    * Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

    This should make it more difficult for the bad guys and give users more information about those who do get issued an EV Cert (their physical address, for example.)

    The other issue that’s got PayPal concerned (and many others, including Mozilla) is phishing. Firefox has a built in Phishing Protection feature that warns you when you’ve ended up on a site known to be a phishing site. This is another way that you can know you’re at the real PayPal and not PayyPall. IE 7 has a some protection against phishing too.

    Safari has many great attributes, but helping users stay safe on the Web of 2008 isn’t at the top of that list and I hope they release an update soon that has both EV Certs and some form of phishing protection. They’re the third most popular browser and with a user base in the millions, they’ve got a real responsibility to stay competitive with the leading browsers.

    Firefox and IE have both stepped up on this and so should Safari.

    – A

  2. SSL just tells you that the connection between you and that website will be encrypted. It doesn’t tell you much about the actual website you’re connected to. EvilSite.com can get an SSL certificate for less than $100 with little or not background check. With EV Certs (extended validation certificates) the site must go through a more substantial audit and that audit should give you more confidence that you’re connecting to the real PayPal, for example, and not PayyPall (a fictional bad guy site.)

    For EV Certs, the issuers must pass an independent audit and they must all follow the same guidelines when issuing an EV Cert:

    * Establish the legal identity as well as the operational and physical presence of website owner;
    * Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
    * Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

    This should make it more difficult for the bad guys and give users more information about those who do get issued an EV Cert (their physical address, for example.)

    The other issue that’s got PayPal concerned (and many others, including Mozilla) is phishing. Firefox has a built in Phishing Protection feature that warns you when you’ve ended up on a site known to be a phishing site. This is another way that you can know you’re at the real PayPal and not PayyPall. IE 7 has a some protection against phishing too.

    Safari has many great attributes, but helping users stay safe on the Web of 2008 isn’t at the top of that list and I hope they release an update soon that has both EV Certs and some form of phishing protection. They’re the third most popular browser and with a user base in the millions, they’ve got a real responsibility to stay competitive with the leading browsers.

    Firefox and IE have both stepped up on this and so should Safari.

    – A

  3. SSL just tells you that the connection between you and that website will be encrypted. It doesn’t tell you much about the actual website you’re connected to. EvilSite.com can get an SSL certificate for less than $100 with little or not background check. With EV Certs (extended validation certificates) the site must go through a more substantial audit and that audit should give you more confidence that you’re connecting to the real PayPal, for example, and not PayyPall (a fictional bad guy site.)

    For EV Certs, the issuers must pass an independent audit and they must all follow the same guidelines when issuing an EV Cert:

    * Establish the legal identity as well as the operational and physical presence of website owner;
    * Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
    * Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

    This should make it more difficult for the bad guys and give users more information about those who do get issued an EV Cert (their physical address, for example.)

    The other issue that’s got PayPal concerned (and many others, including Mozilla) is phishing. Firefox has a built in Phishing Protection feature that warns you when you’ve ended up on a site known to be a phishing site. This is another way that you can know you’re at the real PayPal and not PayyPall. IE 7 has a some protection against phishing too.

    Safari has many great attributes, but helping users stay safe on the Web of 2008 isn’t at the top of that list and I hope they release an update soon that has both EV Certs and some form of phishing protection. They’re the third most popular browser and with a user base in the millions, they’ve got a real responsibility to stay competitive with the leading browsers.

    Firefox and IE have both stepped up on this and so should Safari.

    – A

  4. SSL just tells you that the connection between you and that website will be encrypted. It doesn't tell you much about the actual website you're connected to. EvilSite.com can get an SSL certificate for less than $100 with little or not background check. With EV Certs (extended validation certificates) the site must go through a more substantial audit and that audit should give you more confidence that you're connecting to the real PayPal, for example, and not PayyPall (a fictional bad guy site.)

    For EV Certs, the issuers must pass an independent audit and they must all follow the same guidelines when issuing an EV Cert:

    * Establish the legal identity as well as the operational and physical presence of website owner;
    * Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
    * Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

    This should make it more difficult for the bad guys and give users more information about those who do get issued an EV Cert (their physical address, for example.)

    The other issue that's got PayPal concerned (and many others, including Mozilla) is phishing. Firefox has a built in Phishing Protection feature that warns you when you've ended up on a site known to be a phishing site. This is another way that you can know you're at the real PayPal and not PayyPall. IE 7 has a some protection against phishing too.

    Safari has many great attributes, but helping users stay safe on the Web of 2008 isn't at the top of that list and I hope they release an update soon that has both EV Certs and some form of phishing protection. They're the third most popular browser and with a user base in the millions, they've got a real responsibility to stay competitive with the leading browsers.

    Firefox and IE have both stepped up on this and so should Safari.

    – A

  5. Hey Asa, thanks for dropping by and commenting. I didn’t realise potentially how little a SSL certificate means when it comes to certifying a site is what it purports to be. I almost expected that there was some sort of verification process in the background and I am a bit surprised that there isn’t really. Support for EV certificates seems to be a sensible thing for sites that rely on security and want to inspire confidence in their visitors.

  6. Hey Asa, thanks for dropping by and commenting. I didn’t realise potentially how little a SSL certificate means when it comes to certifying a site is what it purports to be. I almost expected that there was some sort of verification process in the background and I am a bit surprised that there isn’t really. Support for EV certificates seems to be a sensible thing for sites that rely on security and want to inspire confidence in their visitors.

  7. Hey Asa, thanks for dropping by and commenting. I didn’t realise potentially how little a SSL certificate means when it comes to certifying a site is what it purports to be. I almost expected that there was some sort of verification process in the background and I am a bit surprised that there isn’t really. Support for EV certificates seems to be a sensible thing for sites that rely on security and want to inspire confidence in their visitors.

  8. Hey Asa, thanks for dropping by and commenting. I didn't realise potentially how little a SSL certificate means when it comes to certifying a site is what it purports to be. I almost expected that there was some sort of verification process in the background and I am a bit surprised that there isn't really. Support for EV certificates seems to be a sensible thing for sites that rely on security and want to inspire confidence in their visitors.

  9. If ssl was created to help, now it only makes things harder. I understand why Paypal would adopt this change. They guarantee their users total security. Imagine what would happen if someone got their hands on the Paypal database…

  10. If ssl was created to help, now it only makes things harder. I understand why Paypal would adopt this change. They guarantee their users total security. Imagine what would happen if someone got their hands on the Paypal database…

What do you think?

%d bloggers like this: