Dear PayPal, Safari Isn’t The Security Problem
Posted on Thursday, February 28th, 2008 at 0:28.
In an interview with Macworld, PayPal asserted that Safari was not secure enough to be included on its recommended browser list. PayPal currently recommends Internet Explorer 7+, Firefox 2+, or Opera to its users.
Michael Barrett, PayPal’s chief information security officer, said, “Safari has got nothing in terms of security support, only SSL (Secure Sockets Layer encryption), that’s it.” Indeed, Safari lacks anti-phishing blacklisting and support for extended validation (EV) certificates. Unfortunately for Mr Barrett, SSL is the only method mentioned for securing online transactions. Blacklists and EV certificates provide information to the visitor that the site is more likely to be what it claims. They don’t actually make the browser connection to the web server any more secure.
Mr Barrett made no mention of a flaw in Safari’s SSL implementation or other vulnerability.
Phishing sites impersonate real sites in order to trick visitors into giving legitimate information. Attackers can then use this information to defraud the visitor. Phishing attacks are attacks on visitors, not technology. The solutions aren’t likely technical.
Users must learn to verify the address of any site asking for a password. Good ideas, like Bank of America’s SiteKey, have not been effective because users don’t pay attention to the security features. Another study observed extended validation certificates failing for the same reason. At some point, users need to be responsible for themselves.
As for anti-phishing blacklists, I don’t use them. Blacklists are a privacy invasion.* I don’t want every site I visit being sent to a centralized service for “verification”, unless it’s voluntary and part of my DNS.
Edit: *Unless you use Firefox, as its blacklist is localized and refreshed often. Thanks Asa for the comment. IE 7′s phishing filter, however, does phone home to verify addresses.
The problem here is that people keep trying to force Apple to adopt ideas that are used by Microsoft. It is like requiring that every swimmer in a pool to wear water wings because a poor swimmer drowned. Microsoft has been incredibly insecure for decades. The underlying flaws in its OS are still there so a layer of security must go on top as icing over the crud. Apple’s Mac OS does not have the underlying flaws which are exploitable. So, does it need that over layer?
In theory, the Mac is vulnerable, because logic excludes a belief in complete safety. Even Fort Knox is vulnerable, just not very likely to be attacked directly. The question is how likely is that a flaw in Apple’s software can be exploited. How hard it is to attack the Mac OS and use it to spread the attack to other computers. Very hard.
Let me make a prediction that Security Analysts will continue to make such claims, but that Mac users will go on not buying security software until a major exploit is announced. We Mac users know the risks. We judge them to rather tiny now.
The problem is not that Safari doesn’t have anti-phishing tools. The problem is that Ebay/PayPal is doing little to nothing to improve the experience/security of its transactions. It is almost impossible to reach a human being with regards to any issue.
I think you’re confused about Firefox’s Phishing Protection feature. Your sites are never sent to a centralized server for verification. Firefox uses a local blacklist, frequently updated, to compare the sites you visit so it all happens on your machine, and your URLs are never sent to a central server except, as you note, DNS.
- A
Barrett’s comments are quite ignorant. Leopard and Safari have a security feature called code signing. Safari integrates with the keychain for secure storage of passwords. Leopard has sandboxing technology. Safari can use a proxy server for web browsing, which can provide protection against phishing. For a rundown of leopard’s security features, check the article at Tidbits:
http://db.tidbits.com/article/9251
OpenDNS is a straightforward bolt-on and provides phishing protection for the clueless. I don’t need it, but my girlfriend’s 12-yr old niece does.
Louis: In this case, the issue isn’t even about security. The features may be useful, but they have nothing to do with Safari being insecure.
taras: I don’t have any experience in this area, but perhaps PayPal has some “plank in the eye” syndrome.
Asa: Thanks for the correction. I have noted Firefox’s exception above.
John P: Well said. Should PayPal have a legitimate security concern with Safari, I would understand its position. It doesn’t and the claim is silly.
Yes, Jeremiah, but where is the fire? Eventually any useful idea from Microsoft or Linux will be copied into Mac OSX, just as it does on the other side. That is why Sun’s ZFS disk operating system will slowly be integrated and replace HFS+ journaling.
Apple has only 18 thousand non-retail personel. It needs to assign its priorities. You may disagree that Apple is not setting a high enough priority on this. but, you need to build a good case for any urgency. I did not see that case adequately built.
Also, it is properly something that a third party developer may make some money on. Apple can’t do everything or for free.
Louis, I think you might have misunderstood my argument. I don’t disagree with Apple on this one. Anti-phishing tools can be useful, but the lack of them is not a sign of weak security as PayPal has implied.
“Good ideas, like Bank of America’s SiteKey, have not been effective because users don’t pay attention to the security features.”
In the security world, an idea that doesn’t take into account user behavior is *not* a good idea. I don’t deny that it’s hard to do anything when users don’t pay attention. But it’s precisely that fact which made SiteKey a waste of time in the first place. There’s no point in adding yet more “what you know” security to a site. “What you have” (as in a keyfob with a random changing password) is the only thing which will provide additional real security.
“‘What you have’ (as in a keyfob with a random changing password) is the only thing which will provide additional real security.”
I agree, Keyfob or other physical means of authentication is by far the most secure available today. Which while I agree Paypal’s statement is ignorant, some of you aren’t giving them enough credit.
Paypal/Ebay now integrate an option called Security Key which is a random number generating keyfob access system:
https://www.paypal.com/securitykey
IMHO, the simply fact they provide this is well and above most other financial companies’ security protocols.
Now don’t get me wrong, Paypal has a myriad of other problems and downsides, but at least on user login security, they’re ahead of most.
Kee: User behavior is exactly the problem in this case. If users can’t look up at the address bar, check that the address is correct, check that there’s a little SSL lock icon, then adding a green bar for an “extended verification” certificate isn’t like to be effective either.
Bryan: It’s true. My bank doesn’t even offer this and someone could do far more damage through my bank’s website than through PayPal… but I also don’t have to have a box of keyfobs for every site that I use for financial stuff.
Bryan, Paypal’s Security Key is vulnerable to man-in-the-middle attack.