payment service and the frequent target of fraudsters, plans to block
browsers that don't include anti-phishing features from accessing its
site.
Under PayPal's plan, Apple Inc.'s Safari would be banned completely, while only older versions of its rivals Microsoft Corp.'s Internet Explorer and Mozilla Corp.'s Firefox would be barred.
"This is a good move, if [PayPal] can get away with it," said Avivah Litan, an analyst with Gartner Inc.
PayPal
spelled out the idea in a paper (download PDF) released at last week's
RSA Conference. "It's critical to not only warn users about unsafe
browsers, but also to disallow older and insecure browsers," said
Michael Barrett, PayPal's chief information security officer, in the
paper. "Letting users view the PayPal site on one of these browsers is
equal to a car manufacturer allowing drivers to buy one of their
vehicles without seatbelts."
The two features that Barrett said
browsers must have to be considered safe by PayPal were an ability to
block known or suspected phishing sites, and support for Extended
Validation (EV) certificates. EVs, which are given to companies only
after more stringent background checks than the commonplace SSL (Secure
Socket Layer) certificates, are supposed to reassure users that the
online site is legitimate. Browsers that support EVs typically shade
the address bar green as a signal that the site is safe.
But
while the current or soon-to-be-released versions of IE and Firefox
support both of PayPal's must-have features, Safari includes neither.
PayPal's
mentioned that before: in February, Barrett said users should steer
clear of Apple's browser because it wasn't up to snuff. "Apple,
unfortunately, is lagging behind what they need to do to protect their
customers," Barrett said then. "Safari has got nothing in terms of
security support, only SSL, that's it."
Under PayPal's plan,
users running browsers lacking an anti-phishing blocking tool and
support for EVs would first be only warned. Later, PayPal would block
such browsers from accessing its site.
"PayPal's having to take
dramatic measures," said Litan as she ticked off recent moves by the
payment company and its parent, eBay, to limit fraud. "They're
desperate to do something, because the [level of fraud] has even hurt
their revenue picture."
Litan said that PayPal's decision was
smart, but smacked of too little, too late. "They're really anxious to
bring more shoppers to eBay, but consumers are staying away because of
the fraud," she said. "They're right in trying to ensure the safe use
of PayPal on the seller and the buyer side, but this is something they
should have done a year ago."
According to Barrett's plan, older
browsers such as IE3 and IE4 would be among those blocked. Conceivably,
the no-longer-supported Firefox 1.x would also be kept off the site. In
the paper, however, Barrett didn't call out either Firefox or Safari by
name.
"I don't think it's really an issue," said Litan, referring
to Safari. "How hard would it be to add those features? And I would
think that most Mac users also have Firefox anyway."
PayPal did
not specify a timetable when it would switch on its browser blocking,
and did not reply to request for one on Friday. Apple also did not
respond to an e-mail asking for comment.
