It all started when a white paper entitled “A Practical Approach to Managing Phishing,” was published by web payment firm PayPal’s Chief Information Security Offer Michael Barrett and Senior Director of Risk Management Dan Levy. The paper released at the RSA Conference on April 10, 2008, described what could be done to tackle the Internet’s widespread problem with “phishing”, that range of “social engineering” activities that trick users into providing personal information or other sensitive data, such as a Web site having a slightly misspelled name that captures web visits from careless typists.

 

The paper reveals the following: “It’s critical to not only warn users about unsafe browsers, but also to disallow older and insecure browsers… Letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts.” Barrett defined “unsafe browsers” as those “which do not have support for blocking phishing sites or for Extended Validation SSL certificates,” EV SSL certificates are a new form of digital certificate designed to reassure users surfing the web that the site they’re currently visiting has been vetted and is valid.

 

Note that one part of the solution is to block older browsers that are no longer supported with security and safety updates and are therefore vulnerable to hacker attack, such as Internet Explorer 3, released in 1996 as part of Windows 95 (Microsoft (News - Alert) dropped support for it and Windows 95 in 2001). Internet Explorer 4 and Windows 98 support was finally dropped in July 2006. Even Internet Explorer 5.01 will be abandoned in the middle of 2010 when Microsoft cuts loose Windows 2000. IE6, IE7 and Opera 9.25 and later seem to be in the clear.

 

So far so good. However, what makes things white hot is the second statement about blocking browsers that don’t have support for Extended Validation SSL certificates. PayPal supports the use of Extended Validation SSL Certificates. When a browser supporting this technology arrives at a legitimate, certified site, the browser’s address bar is highlighted in green, this makes it easy for users to see that they’re on the actual, legitimate, website.

 

The latest version of Internet Explorer supports EV SSL certificates, while Firefox 2 supports it via an add-on. The problem is that Apple’s (News - Alert) Safari browser for Mac and PCs does support such certificates. Thus, it appeared that PayPal was going to warn and then ultimately block Apple’s Safari browser on their site.

 

After a storm of protest and the usual mob brouhaha, PayPal now has no intention of blocking current versions of any browsers, including Apple’s Safari, from its website. Apple currently supports Safari 3.0 with security updates and other patches. The earlier Safari 2.0 browser that shipped with Mac OS X 10.4 (alias “Tiger”) an operating system still supported by Apple. In any case PayPal now says it will not block Safari 2.0 on Tiger until Apple starts shipping “Leopard,” the successor to Mac OS X 10.5.

 

Barrett and Levy’s paper goes on to say that users could be protected from attacks though the use of signed emails sent from servers supporting DomainKeys and the Sender Policy Framework (SPF). Service providers could then filter out phishing emails before they ever reached users. PayPal is also currently exploring a relationship with Iconix, a company that sells email client plug-ins that verify email signatures.