Saturday, April 19, 2008

PayPal to Ban Apple's Safari Browser? [Updated]

Yesterday I wrote an editorial at MacMod.com about PayPal's intentions to prevent Safari users from accessing its services. I am republishing my article here because it covers topics that are important for Apple and PayPal customers to be aware of, as well as security-conscious readers in general.

Anyone who has listened to either MacMod Live or Tech Pulse or has read my blog knows how frustrated I am that Apple has been negligent about adding anti-phishing functionality to Safari. The feature had been announced by Apple in August 2006 and already existed in early private beta builds of Safari 3 before being dropped inexplicably in the Public Beta. Apple clearly had the technology in place, so why in the world did they decide to drop the feature?

Well, the latest news on this front is that PayPal has plans to prevent its users from accessing its site if they're using a browser that PayPal deems to be "unsafe." eWeek quotes PayPal Chief Information Security Officer Michael Barrett:

"'At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe--usually the oldest--browsers,' he declared. Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of 'unsafe browsers,' but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates."

In an interview in late February, Barrett advised PayPal users to stop using Safari, stating that "Apple, unfortunately, is lagging behind what they need to do to protect their customers," and that he would "love to say that Safari was a safer browser, but at this point it isn't."

Netcraft, an anti-phishing organization, recently released a report saying that EV SSL ("Extended Validation," which means that the browser bar turns green when you access a page with a really expensive SSL certificate) is vulnerable to cross-site scripting in both Internet Explorer and Firefox, meaning that in theory scammers could exploit a vulnerable site that uses EV SSL (such as Sourceforge, whose site was discovered to be vulnerable last year and still hasn't been fixed) and phish users in spite of the "trusted" green bar. EV SSL is clearly not a good thing, as it only gives users the illusion of more perfect security when the feature itself can be exploited by scammers. And yet this is one of the things that PayPal wants to make a requirement in order to be considered a "safe" browser from which one can access his or her PayPal account.

If PayPal goes through with its plans, and if Apple doesn't deliver anti-phishing functionality and EV SSL before then, what would this mean for Apple customers? Those who prefer Safari, or those who simply use it because it came with the computer, will be forced to download and start using a different browser, which is not good news for Apple if it wants to continue to increase its share of the browser market. Additionally, PayPal's plans would make it impossible to access PayPal on the go via an iPhone or iPod touch.

(original source: eWeek via Slashdot)

UPDATE: A representative of the Wall Street Journal "spoke to PayPal" (wow, the whole company?!). Apparently, "contrary to many reports [PayPal] will not block Apple's Safari browser" in spite of the seemingly contradictory remarks from PayPal's Chief Information Security Officer quoted above.