Dear PayPal, Safari Isn’t The Security Problem
In an interview with Macworld, PayPal asserted that Safari was not secure enough to be included on its recommended browser list. PayPal currently recommends Internet Explorer 7+, Firefox 2+, or Opera to its users.
Michael Barrett, PayPal’s chief information security officer, said, “Safari has got nothing in terms of security support, only SSL (Secure Sockets Layer encryption), that’s it.” Indeed, Safari lacks anti-phishing blacklisting and support for extended validation (EV) certificates. Unfortunately for Mr Barrett, SSL is the only method mentioned for securing online transactions. Blacklists and EV certificates provide information to the visitor that the site is more likely to be what it claims. They don’t actually make the browser connection to the web server any more secure.
Mr Barrett made no mention of a flaw in Safari’s SSL implementation or other vulnerability.
Phishing sites impersonate real sites in order to trick visitors into giving legitimate information. Attackers can then use this information to defraud the visitor. Phishing attacks are attacks on visitors, not technology. The solutions aren’t likely technical.
Users must learn to verify the address of any site asking for a password. Good ideas, like Bank of America’s SiteKey, have not been effective because users don’t pay attention to the security features. Another study observed extended validation certificates failing for the same reason. At some point, users need to be responsible for themselves.
As for anti-phishing blacklists, I don’t use them. Blacklists are a privacy invasion.* I don’t want every site I visit being sent to a centralized service for “verification”, unless it’s voluntary and part of my DNS.
Edit: *Unless you use Firefox, as its blacklist is localized and refreshed often. Thanks Asa for the comment. IE 7’s phishing filter, however, does phone home to verify addresses.
Posted on Thursday, February 28th, 2008 at 0:28.