April 20th 2008 05:16 pm
Safari is too insecure for PayPal and will be blocked … maybe not
PayPal has announced that it will start blocking Safari and older versions of browsers like Firefox and Internet Explorer from accessing the site because these browsers don’t support Extended Validation certificates which require a more detailed verification of the certified site than normal SSL and which should therefore make the site more secure. PayPal requires that browsers accessing its site support EV certificates and unfortunately for Apple, Safari doesn’t quite cut the mustard:
PayPal’s mentioned that before: in February, Barrett said users should steer clear of Apple’s browser because it wasn’t up to snuff. ‘Apple, unfortunately, is lagging behind what they need to do to protect their customers,’ Barrett said then. ‘Safari has got nothing in terms of security support, only SSL, that’s it.’
I have updated Firefox on my MacBook to Firefox 3 beta and while it doesn’t support many of my add-ons which I used on Firefox 2, the latest version, beta 5, is pretty stable and works well. It also has a really handy indictor of when a site supports EV certificates:
Notice the green bar? That is the key indicator. Safari doesn’t support this feature yet and while I won’t pretend that I appreciate the significance of this (I thought SSL was good enough? Seems to be the case for our banks), I wonder if we will start to see more and more sites using these certificates. Certainly Standard Bank has built up a reputation locally as a pretty tech savvy and security conscious bank so I am curious whether this is an issue for Standard Bank at all?
Update: I just read in Mashable that Safari probably won’t be blocked, just older browser versions:
Au contraire. Ben Worthen of the Wall Street Journal has confirmed through a direct chat with PayPal that Safari folk need not worry about their ability to access the site.
Technorati Tags:
web, web browser, extended validation, firefox 3, paypal, security
Add New Comment
Viewing 3 Comments
Thanks. Your comment is awaiting approval by a moderator.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
http://www.tuaw.com/2008/04/21/paypal-says-it-w...
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
For EV Certs, the issuers must pass an independent audit and they must all follow the same guidelines when issuing an EV Cert:
* Establish the legal identity as well as the operational and physical presence of website owner;
* Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
* Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.
This should make it more difficult for the bad guys and give users more information about those who do get issued an EV Cert (their physical address, for example.)
The other issue that's got PayPal concerned (and many others, including Mozilla) is phishing. Firefox has a built in Phishing Protection feature that warns you when you've ended up on a site known to be a phishing site. This is another way that you can know you're at the real PayPal and not PayyPall. IE 7 has a some protection against phishing too.
Safari has many great attributes, but helping users stay safe on the Web of 2008 isn't at the top of that list and I hope they release an update soon that has both EV Certs and some form of phishing protection. They're the third most popular browser and with a user base in the millions, they've got a real responsibility to stay competitive with the leading browsers.
Firefox and IE have both stepped up on this and so should Safari.
- A
Add New Comment
Trackbacks