In a new white paper prepared for the recent RSA Conference, PayPal chief information security officer Michael Barrett and colleague Dan Levy wrote a paper (PDF) outlining a multi-part strategy for PayPal to combat phishing attacks. The paper proposes PayPal stop supporting browser that do not implement Extended Validation certificates (EV-SSL)—which would mean PayPal could stop supporting “unsafe” browsers including versions of Internet Explorer before IE7, early versions of FireFox, and current versions of Apple’s Safari Web browser (the default browser for Mac OS X, which Apple is now pushing to Windows users via iTunes).
“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts,” the authors wrote in the white paper.
The paper outlines a graduated strategy whereby users with browser supporting the required technology would be able to conduct transactions via PayPal normally, users with the previous major release of a browser would be allowed to conduct transactions only after explicitly bypassing a warning, and users of still-older browsers would be disallowed entirely.
Barrett has previously criticized Safari for not supporting EV-SSL and for not offering anti-phishing filters that warn users when they attempt to connect to known phishing sites. Usability studies haven’t shown that anti-phishing warnings are effective without user training, but Barrert believes that the “green bar” of a validated site provides a clear visual cue users will understand when they land on a validated site.
Currently, only Internet Explorer 7 supports EV-SSL; Firefox 3.0 plans to support it, as does Opera. Apple hasn’t made any comment on when (or if) Safari might support EV-SSL or anti-phishing services.
In a statement, PayPal says it only plans to develop features that block customers from logging in using “obsolete browsers on outdated or unsupported operating systems”—it offers IE4 on Windows 98 as an example—and says it would not block current versions of any browser, including Apple’s Safari.
Editors' Recommendations
- Here’s why I finally gave up on using Safari on my Mac
- This critical macOS flaw may leave your Mac defenseless
- Vivaldi builds mail, calendar, and feed reader right into your browser
- DuckDuckGo’s beta browser for MacOS puts privacy first
- Using Zoom on a Mac? It may be secretly recording your audio