http://pauljacobson.disqus.com/Life, law and other stuffenTue, 22 Apr 2008 21:24:30 -0000http://pauljacobson.org/2008/04/20/safari-is-too-insecure-for-paypal-and-will-be-blocked/#comment-1674479As an aside it seems Paypal has changed their ruling on the matter according to this article:<br><a href="http://www.tuaw.com/2008/04/21/paypal-says-it-wont-block-safari/">http://www.tuaw.com/2008/04/21/paypal-says-it-w...</a>SaulkTue, 22 Apr 2008 21:24:30 -0000http://pauljacobson.org/2008/04/20/safari-is-too-insecure-for-paypal-and-will-be-blocked/#comment-1674478Hey Asa, thanks for dropping by and commenting. I didn't realise potentially how little a SSL certificate means when it comes to certifying a site is what it purports to be. I almost expected that there was some sort of verification process in the background and I am a bit surprised that there isn't really. Support for EV certificates seems to be a sensible thing for sites that rely on security and want to inspire confidence in their visitors.PaulMon, 21 Apr 2008 03:54:37 -0000http://pauljacobson.org/2008/04/20/safari-is-too-insecure-for-paypal-and-will-be-blocked/#comment-1674477SSL just tells you that the connection between you and that website will be encrypted. It doesn't tell you much about the actual website you're connected to. <a href="http://EvilSite.com">EvilSite.com</a> can get an SSL certificate for less than $100 with little or not background check. With EV Certs (extended validation certificates) the site must go through a more substantial audit and that audit should give you more confidence that you're connecting to the real PayPal, for example, and not PayyPall (a fictional bad guy site.) <br><br>For EV Certs, the issuers must pass an independent audit and they must all follow the same guidelines when issuing an EV Cert: <br><br> * Establish the legal identity as well as the operational and physical presence of website owner;<br> * Establish that the applicant is the domain name owner or has exclusive control over the domain name; and<br> * Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.<br><br>This should make it more difficult for the bad guys and give users more information about those who do get issued an EV Cert (their physical address, for example.) <br><br>The other issue that's got PayPal concerned (and many others, including Mozilla) is phishing. Firefox has a built in Phishing Protection feature that warns you when you've ended up on a site known to be a phishing site. This is another way that you can know you're at the real PayPal and not PayyPall. IE 7 has a some protection against phishing too. <br><br>Safari has many great attributes, but helping users stay safe on the Web of 2008 isn't at the top of that list and I hope they release an update soon that has both EV Certs and some form of phishing protection. They're the third most popular browser and with a user base in the millions, they've got a real responsibility to stay competitive with the leading browsers. <br><br>Firefox and IE have both stepped up on this and so should Safari.<br><br>- AAsa DotzlerSun, 20 Apr 2008 23:21:22 -0000