Does PayPal Mean Safari Is Unsafe?

My Security Watch colleague Ryan Naraine lays it all out in his story "PayPal Plans to Ban Unsafe Browsers." Safe browsers support EV (Extended Validation) SSL certificates, according to PayPal.

Firefox, Internet Explorer and Opera all support EV SSL, which deters phishing attacks. A PayPal whitepaper lists the browsers as safe, but not Safari.

For anyone receiving one of those fake PayPal account e-mails, the extent of the phishing problem should be obvious. But security and privacy aren't the only considerations. Phishing scams delude both eBay and PayPal brands and disrupt legitimate customer communications.

Internet Explorer 7 started supporting EV SSL in February 2007. EV SSL provides users with visual cues in the Web address bar. Green means safe.

The whitepaper is quite deliberate in its wording: "Letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts."

Safari is one of the four major browsers, and it's one gaining market share, spurred on by its release for Windows and availability on iPhone. Does that car analogy really apply to Safari?

Ryan and I IMed about Safari's status, based on his reporting: "My story simply says that Safari would fall into the unsafe category based on PayPal's description." He asked: "Is PayPal just posturing to force Apple into fixing Safari? Or, "do they really have the guts to ban Safari?"

It's the right question. I've wondered about Safari security since Apple released the first public Windows version back in June. Life in Little Town (Mac OS X) doesn't compare to the ghetto (Windows). Windows is a rough neighborhood, where many criminals try to enter by stealth (malware and phishing) to steal valuables (personal data and accounts). Was Apple ready for the challenge?

Confession: I feel much safer using Safari on the Mac than on Windows. Maybe it's a psychological problem, but I don't yet accept that Safari is ready to live in the ghetto. But that's not really PayPal's complaint. The online payments operation is overly concerned with EV SSL.

For Apple Watch readers using Firefox, IE 7 or Opera, did you even know about EV SSL before reading this post? Had you even noticed the Web address bar flashing some color? I've seen green at some sites. The green flash doesn't even fit the seat belt analogy. To its credit, Microsoft provides yellow and red cues in IE 7, and these could prevent or protect from a crash. But green?

PayPal demands a lot, methinks, and I wonder how much is posturing—or what I often call "security by PR." Consider this: VeriSign lists only 16 EV SSL customers and about 2,300 domains. That green flash will come at very few Web sites. Surely, the number of safe entities is greater than 16 or even 2,300. The scarcity of EV SSL adoption by Web sites diminishes the security certificate's real-world value.

A single-server EV SSL costs $1,499 from VeriSign. While there are limitations on who supposedly could buy one, phishers could still acquire a certificate and come up green. That's where the seat belt fails, when someone goes to a phishing site that flashes green.

PayPal has a big problem because it's such a large target for phishers. Should Apple have to support EV SSL just to benefit PayPal? I'd say no from a security perspective. But Apple might have other very good reasons. Apple benefits from PayPal as payment option for iTunes. Surely that relationship is worth something.

Posted by Joe Wilcox on April 17, 2008 6:23 PM