Paypal to Block Apple Safari Browser, Other Browsers   4/30/2008 - 824 views, 1 Comment

*Note: Since publication of this article, we have been made aware of one comment, to one story, by a Paypal employee refuting that Paypal plans to block Safari. Said Mike Oldenburg, of Paypal Corporate Communications, “We have absolutely no intention of blocking current versions of any browsers, including Apple’s Safari, from our website.” Weasel words, we think - exactly how is Oldenburg defining “current”? We suggest that they probably mean “up-to-date with current anti-phishing technology”, which Safari is not at this time, and that if and when Safari adds that current anti-phishing technology, it will be supported. A look at Paypal’s own website shows that they are now all about anti-phishing technology-enabled web browsers. (By the way, nothing wrong with that.)

EBay’s Chief Information Security Officer, Michael Barrett, and Director of Information Security, Dan Levy, recently co-authored a white paper disclosing this move, writing that in their view, “letting users view the PayPal site on an unsafe browser is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts.”

In that white paper, an official PayPal white paper entitled “A Practical Approach to Managing Phishing”, they say, and we quote:

At PayPal, we are in the process of re-implementing controls which will first warn our customers
when logging in to PayPal from those browsers that we consider unsafe. Later, we plan on blocking
customers from accessing the site from the most unsafe – usually the oldest – browsers.

Somehow, we think we’ll give a bit more weight to what PayPal’s Chief Information Security Officer and their Director of Information Security have to say than to what some Corporate Communications flack posts in a comment to an article on a 3rd-party site. A request to clarify the impact this move will have on Safari users posted on the PayPal blog has yet gone unanswered.

[You can download a PDF of the Paypal white paper on security and anti-phishing here.]

It is at this point that we should make clear that we applaud PayPal for their position, the white paper, and their efforts. But they should also make an unequivocal public statement as to whether or not people who use Safari will be blocked from accessing the PayPal sites and services.

So back to unsafe browsers and seatbeltless cars, it’s time to buck up and buckle up, people. PayPal said recently that it still sees site visitors using the decade-old Internet Explorer 3, released when security was little more than making sure that nobody was looking over your shoulder as you entered your password. The security situation is much more complex today, but PayPal intend to transition themselves and their users to superior security in the future. And it does appear that in order to curb attempted security breaches, in particular phishing hacks, PayPal will after this transition only permit transactions with browsers that support Extended Validation (EV) SSL certificates.

Users will be warned if they use an insecure browser, and if they persist they will be prevented from accessing the site until they upgrade. Browsers supporting EV SSL are Internet Explorer 7, Firefox Beta 3 and Version 2 (EV SSL support requires an extension, available here), and Opera 9.5. If your system is supported, for which you should check the release notes of your chosen browser, you should upgrade your browser at your earliest convenience.