In an interview with Macworld, PayPal issues a dire warning to users of Apple's Safari browser: don't use it if you want to avoid online fraud. Apparently, Safari is not on PayPal's list of recommended browsers due to its lack of support for some of the anti-phishing features the other browsers have. Instead, PayPal is recommending the use of IE, Firefox, or Opera, because they are safer for the average user.
According to Michael Barrett, PayPal's Chief Information Security Officer, "Apple, unfortunately, is lagging behind what they need to do, to protect their customers. Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera."
So what is it that Safari is missing? For one, unlike the other browsers, Safari has no built-in phishing filter which warns web surfers when they visit suspicious web sites.
The other issue is that Safari doesn't support EV (Extended Validation) certificates. This secure web browsing technology turns the address bar green when visiting a legitimate web site.
Currently only IE supports EV certificates, but upcoming versions of Opera and Firefox will be supporting them as well.
"Safari has got nothing in terms of security support, only SSL (Secure Sockets Layer encryption), that's it," Barrett said.
But are these technologies really having an effect? Barrett thinks so. For example, with EV's, he is basing this decision on data compiled on PayPal's web site that show that IE 7 users are more likely to sign on to PayPal. He makes the leap to presume that this is because they are more confident that the site is legit.
But to the contrary, a study (PDF) on the effectiveness of EV shows that EV certificates aren't that useful unless someone is specifically trained to notice the green address bar and what it means.
So, is Barrett being overly cautious? Or is Safari really insecure?
Comments
Subscribe to comments for this post OR Subscribe to comments for all Read/WriteWeb posts
I hope I can turn off that phising-warning-bullshit, when it ever would make its way into Safari.
Those statements from PayPal sound like the warnings on your microwave: don't dry pets!
As if a green address bar makes a browser more secure. That guy from PayPal you talked to is from marketing, right?
Posted by: Dirk Olbertz | February 29, 2008 10:14 AM@Dirk: Michael Barrett is PayPal's Chief Information Security Officer
Posted by: Sarah PerezThe reason why Internet Explorer 7 (and Firefox and Opera) are "safer" than Safari isn't because of IE's support for EV certificates, but the phishing filter, which is extremely important and useful.
Mozilla made a study (http://www.mozilla.org/security/phishing-test.html) that said that both Internet Explorer, Firefox are able to detect between 60% and 80% of malicious websites, the new Firefox 3 will support incremental updates and will therefore be even faster than the current version of Firefox. Opera wasn't tested in this study, but has an anti-phishing-technology included, too. Safari not - and that's the point.
The browser is vulnerable on two fronts:
1. Code
Bugs in the browser code can result in malicious code (on a website) being able to find its way onto the computer, where it can do damage. (Delete files, install adware, etc.)
The second way the browser software itself creates a problem is when features can be misused. ActiveX in Internet Explorer is the biggest and best known problem in this field.
All browser vendors continue to invest in their code stability and security, and Apple definitely has nothing to hide here.
2. Websites
The second and for private users even more dangerous problem is of social nature: Phishing.
Websites claim to be something they aren't. It's very, very easy to create a website that claims to be something it isn't. It's easy to replicate the design of another website, and it's possible to suggest that the url is the correct one, too:
http://www.paypal.com.some.other@fakesite.com/
This url would lead to fakesite.com, but it looks - especially to untrained people - like PayPal.com.
Ordinary people tend to overlook the addressbar and can therefore easily miss the fact that www.paypal.com.some.other@fakesite.com isn't paypal.com.
The ONLY solution to this problem are the phishing filters that are included into modern browsers. Something, where Microsoft can claim correctly that they are doing way better than Apple to care for their customers.
Concluding: PayPal is absolutely right to put pressure on Apple, hopefully others will follow!
Posted by: Sebastian | February 29, 2008 10:37 AMHow about, "Don't use PayPal".
Posted by: Neil | February 29, 2008 10:58 AMIt's nice to see Paypal recommending browers but if IE is recommened because it is more secure (or just has a higher conversion rate) quote "For example, with EV's, he is basing this decision on data compiled on PayPal's web site that show that IE 7 users are more likely to sign on to PayPal.", there may be a bit of bias here as the coversion rate is mush higher
Posted by: Clark Jones | February 29, 2008 11:39 AMIf you're using Safari, use OpenDNS to be warned of Phishing sites. http://opendns.com/
Posted by: GB | February 29, 2008 12:10 PMPayPal are, because of who owns them and what they do, are strongly incentivised try to make sure that ALL browsers work securely.
If their CISO wants to promote features that PayPal see as important, then I'm pleased.
The ideal result would, of course, be Apple to improve Safari further.
Posted by: Mark Harrison | February 29, 2008 1:38 PMMark, writing from Camino on a Mac :-)
Sorry, but anyone that recommends IE, to be more secure, can't be taken seriously. I've been a network admin since '92, supporting just about every major OS that you could name.
We don't allow anyone in our company to use IE - for security reasons.
Posted by: Bob | February 29, 2008 1:48 PMPaypal sucks!
Posted by: Tom | February 29, 2008 2:38 PMIf I had to choose between Paypal or Safari, I'd pick Safari ;)
Posted by: Wack | March 1, 2008 6:50 AMFirstly, what's wrong with Paypal? I've used it for years and I prefer it over other payment systems. I know there were problems with it way back but, for me at any rate, it has been perfect.
Secondly, anyone with half a brain can spot and avoid a phising site. I get emails every week purporting to come from PayPal, some of them looking very, very authentic. Follow the simple rule, never click the link, and you can't go wrong. You can log onto your Paypal account perfectly securely and do whatever business you want to from Safari. What is the problem? Bah!
Posted by: Mike Power | March 1, 2008 8:23 AMI'm a little shocked they were so robust in their comments. Safari is increasingly popular - it's really astounding to see how many more users are on the Mac platform now versus even 12 months ago.
I agree with Mike - people should be able to spot most phishing attempts. Worse I find IE gets hung up/lags often and it's usually the phishing filter.
Posted by: Heather | March 1, 2008 8:23 PM"Security" is a technical classification. Phishing attacks are attacks on visitors, not technology. The solutions aren’t likely technical.
Users must learn to verify the address of any site asking for a password. Good ideas, like Bank of America’s SiteKey, have not been effective because users don’t pay attention to the security features. The study mentioned in this post showed extended validation certificates failing for the same reason. At some point, users need to be responsible for themselves.
PayPal could have revealed its shocking statistics about how frequently its users fall for phishing attacks and used the publicity to educate users about phishing attacks, but it instead chose to make an enemy of its Safari users.
Posted by: Jeremiah | March 2, 2008 8:51 AM