PayPal won't block Safari, but browser still considered unsafe

Posted by Christian Zibreg

Chicago (IL) - When PayPal's information security chief recently outlined new measures the company will take to battle phishing attacks and online frauds, it became evident that Apple's Safari browser lacks certain basic security features. Some predicted PayPal will block Safari users from accessing the online payment service altogether. A company spokesperson now reassured users that this wasn't the case. However, there are no security features in Safari to protect users from online scams and identity theft.

Over last couple of days, multiple online sources claimed Ebay's PayPal is planning to block Safari users from accessing the online payment service altogether. For example, AppleInsider cited Safari's lack of anti-phishing mechanism and no support for the Extended Validation Secure Socket Layer (EV SSL) certificate as the two reasons that are in direct collision with PayPal's strengthened security policies.

PayPal went on record last night with the Wall Street Journal and explained that it won't, at least at this moment, block Safari users from accessing PayPal. "PayPal is developing features to block customers from logging into PayPal when using obsolete browsers on outdated or unsupported operating systems. An example of such a browser/OS combination might be, for example, Internet Explorer 4 running on Windows 98. In doing so, we better protect our customers from viewing a phishing site through their browser. We have absolutely no intention of blocking current versions of any browsers, including Apple’s Safari, from our website," said Michael Oldenburg, PayPal’s corporate communications spokesman.

That statement however, doesn’t quite help Safari users and you could wonder whether Apple is doing enough to protect Safari users from online frauds.

The story first broke out when online media outlets picked up a white paper (PDF download) published by PayPal's chief information security officer Michael Barret. In this document, Barret singled out the web browser as a key tool in an effort to end to phishing scams. He criticized browsers, without naming them, saying that there was a lack of anti-phishing mechanisms and support for EV SSL certificates. "In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat-belts," Barret wrote.

Phishing is a method of deceiving a user into believing that a certain site or email is genuine to convince users to provide critical information such as login data. Sites like eBay or PayPal have been a popular target in phishing scams.

Barret warned that a browser is the “first and last line of defense” against such fraud attacks. IE7 and Firefox 2 have built-in anti-phishing tools that rely on a mechanism that checks a site against a publicly available, regularly updated black list of known phishing sites. For example, Firefox 2 users can set the preference to check site's authenticity in Google's database. Apple had briefly incorporated Google's database into beta builds of Max OS X Leopard and Safari 3, but has removed this feature from both the operating system and final Safari builds. The feature could be added again in future updates as there are still traces in the code.

EV SSL support comes built-in with IE7 and the upcoming Firefox 3. Users of Firefox 2 can install the Verisign EV Green Bar extension to gain EV SSL certificate support free of charge. When a user visits a site that has an EV SSL security certificate, IE7's address bar turns green, and Firefox 2's gray, meaning the site passed the authenticity checks. A user can then click on a certificate to identify the company running a site, providing another layer of assurance. Safari, however, lacks EV SSL support.

A lack of both anti-phishing mechanisms and EV SSL support puts Safari in the same security category as IE4. Although PayPal says it has no immediate plans to blacklist Safari users, it is obvious Apple should act quickly and provide Safari users with anti-phishing tools and a better handling of security certificates. So far, Apple does not have a great track record in browser security. It took too long until Safari received even the most basic certificate features. If Apple wants to expand its Safari user base and make the browser an alternative to IE and Firefox, it will have to match security features of competing products, no question about it.