The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered “unsafe” for financial transactions.Now on the one hand, I think EV SSL is color-coded checklist security candy:
“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,” said PayPal Chief Information Security Officer Michael Barrett.
Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of “unsafe browsers,” but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates.
— BPayPal Plans to Ban Unsafe Browsers, By Ryan Naraine, EWeek.com, 2008-04-17
The EV SSL certificates are meant to provide trust to Web-based transactions. For example, if you use Microsoft’s IE 7 to visit a Web site secured with an EV SSL certificate, the URL address bar is displayed in green and offers the ability for the user to toggle between the organization name listed in the certificate and the issuing Certificate Authority.On the other hand, at least Paypal is introducing the concept of blocking broken software. This isn’t exactly legal software liability, but it’s a step in that direction, and conceivably could be more effective.
Firefox and Opera have announced their intention to support EV SSL in upcoming releases.
The jury is still out on the value of EV SSL certificates as a meaningful security utility but, in Barrett’s mind, the green URL bar offers a visual cue that “makes it much easier for users to determine whether or not they’re on the site that they thought they were visiting.”
A Paypal white paper also recommends ISPs taking a role in blocking incoming phishing mail:
It makes the argument that anti-phishing initiatives must start with blocking fraudulent e-mails from being delivered to phishing victims. “If phishmail never makes it into a customer’s in-box, the customer cannot become a victim,” it said, noting that ISP cooperation is needed to adopt e-mail authentication schemes.I have to wonder why it doesn’t recommend ISPs blocking such messages outbound?
“Our No. 1 strategy centered on a creative use of new e-mail signing standards and cooperation with major [ISPs] to actually block unsigned e-mail that looked to be from PayPal—before the mail reached the customers,” Barrett said. Instead of just using digital signatures in e-mails, the company went a step further with a proposal for ISPs to toss out fraudulent e-mails at the network edge.