DISQUS

DISQUS Hello! Paul Jacobson is using DISQUS, a powerful comment system, to manage its comments. Learn more.

Community Page

Paul Jacobson

Life, law and other stuff
Jump to original thread »
Author

Safari is too insecure for PayPal and will be blocked … maybe not

Started by pauljacobson · 11 months ago

PayPal has announced that it will start blocking Safari and older versions of browsers like Firefox and Internet Explorer from accessing the site because these browsers don’t support Extended Validation certificates which require a more detailed verification of the certified site than no ... Continue reading »

6 comments

  • Asa Dotzler

    1 year ago

    SSL just tells you that the connection between you and that website will be encrypted. It doesn't tell you much about the actual website you're connected to. EvilSite.com can get an SSL certificate for less than $100 with little or not background check. With EV Certs (extended validation certificates) the site must go through a more substantial audit and that audit should give you more confidence that you're connecting to the real PayPal, for example, and not PayyPall (a fictional bad guy site.)

    For EV Certs, the issuers must pass an independent audit and they must all follow the same guidelines when issuing an EV Cert:

    * Establish the legal identity as well as the operational and physical presence of website owner;
    * Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
    * Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

    This should make it more difficult for the bad guys and give users more information about those who do get issued an EV Cert (their physical address, for example.)

    The other issue that's got PayPal concerned (and many others, including Mozilla) is phishing. Firefox has a built in Phishing Protection feature that warns you when you've ended up on a site known to be a phishing site. This is another way that you can know you're at the real PayPal and not PayyPall. IE 7 has a some protection against phishing too.

    Safari has many great attributes, but helping users stay safe on the Web of 2008 isn't at the top of that list and I hope they release an update soon that has both EV Certs and some form of phishing protection. They're the third most popular browser and with a user base in the millions, they've got a real responsibility to stay competitive with the leading browsers.

    Firefox and IE have both stepped up on this and so should Safari.

    - A
    reply
  • Asa Dotzler

    1 year ago

    SSL just tells you that the connection between you and that website will be encrypted. It doesn't tell you much about the actual website you're connected to. EvilSite.com can get an SSL certificate for less than $100 with little or not background check. With EV Certs (extended validation certificates) the site must go through a more substantial audit and that audit should give you more confidence that you're connecting to the real PayPal, for example, and not PayyPall (a fictional bad guy site.)

    For EV Certs, the issuers must pass an independent audit and they must all follow the same guidelines when issuing an EV Cert:

    * Establish the legal identity as well as the operational and physical presence of website owner;
    * Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
    * Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

    This should make it more difficult for the bad guys and give users more information about those who do get issued an EV Cert (their physical address, for example.)

    The other issue that's got PayPal concerned (and many others, including Mozilla) is phishing. Firefox has a built in Phishing Protection feature that warns you when you've ended up on a site known to be a phishing site. This is another way that you can know you're at the real PayPal and not PayyPall. IE 7 has a some protection against phishing too.

    Safari has many great attributes, but helping users stay safe on the Web of 2008 isn't at the top of that list and I hope they release an update soon that has both EV Certs and some form of phishing protection. They're the third most popular browser and with a user base in the millions, they've got a real responsibility to stay competitive with the leading browsers.

    Firefox and IE have both stepped up on this and so should Safari.

    - A
    reply
  • Paul

    1 year ago

    Hey Asa, thanks for dropping by and commenting. I didn't realise potentially how little a SSL certificate means when it comes to certifying a site is what it purports to be. I almost expected that there was some sort of verification process in the background and I am a bit surprised that there isn't really. Support for EV certificates seems to be a sensible thing for sites that rely on security and want to inspire confidence in their visitors.
    reply
  • Paul

    1 year ago

    Hey Asa, thanks for dropping by and commenting. I didn't realise potentially how little a SSL certificate means when it comes to certifying a site is what it purports to be. I almost expected that there was some sort of verification process in the background and I am a bit surprised that there isn't really. Support for EV certificates seems to be a sensible thing for sites that rely on security and want to inspire confidence in their visitors.
    reply
  • Saulk

    1 year ago

    As an aside it seems Paypal has changed their ruling on the matter according to this article:
    http://www.tuaw.com/2008/04/21/paypal-says-it-w...
    reply
  • Saulk

    1 year ago

    As an aside it seems Paypal has changed their ruling on the matter according to this article:
    http://www.tuaw.com/2008/04/21/paypal-says-it-w...
    reply

Add New Comment

Returning? Login