Comments on: Dear PayPal, Safari Isn’t The Security Problem

By: Alexandr Ciornii

Alexandr Ciornii — Sun, 02 Mar 2008 00:10:14 +0000

Bryan, Paypal’s Security Key is vulnerable to man-in-the-middle attack.

By: Jeremiah

Jeremiah — Fri, 29 Feb 2008 16:14:11 +0000

Kee: User behavior is exactly the problem in this case. If users can’t look up at the address bar, check that the address is correct, check that there’s a little SSL lock icon, then adding a green bar for an “extended verification” certificate isn’t like to be effective either.

Bryan: It’s true. My bank doesn’t even offer this and someone could do far more damage through my bank’s website than through PayPal… but I also don’t have to have a box of keyfobs for every site that I use for financial stuff.

By: Bryan

Bryan — Fri, 29 Feb 2008 12:27:52 +0000

“‘What you have’ (as in a keyfob with a random changing password) is the only thing which will provide additional real security.”

I agree, Keyfob or other physical means of authentication is by far the most secure available today. Which while I agree Paypal’s statement is ignorant, some of you aren’t giving them enough credit.

Paypal/Ebay now integrate an option called Security Key which is a random number generating keyfob access system:

https://www.paypal.com/securitykey

IMHO, the simply fact they provide this is well and above most other financial companies’ security protocols.

Now don’t get me wrong, Paypal has a myriad of other problems and downsides, but at least on user login security, they’re ahead of most.

By: Kee Hinckley

Kee Hinckley — Fri, 29 Feb 2008 05:50:05 +0000

“Good ideas, like Bank of America’s SiteKey, have not been effective because users don’t pay attention to the security features.”

In the security world, an idea that doesn’t take into account user behavior is *not* a good idea. I don’t deny that it’s hard to do anything when users don’t pay attention. But it’s precisely that fact which made SiteKey a waste of time in the first place. There’s no point in adding yet more “what you know” security to a site. “What you have” (as in a keyfob with a random changing password) is the only thing which will provide additional real security.

By: Jeremiah

Jeremiah — Fri, 29 Feb 2008 05:46:10 +0000

Louis, I think you might have misunderstood my argument. I don’t disagree with Apple on this one. Anti-phishing tools can be useful, but the lack of them is not a sign of weak security as PayPal has implied.

By: Louis Wheeler

Louis Wheeler — Fri, 29 Feb 2008 03:33:26 +0000

Yes, Jeremiah, but where is the fire? Eventually any useful idea from Microsoft or Linux will be copied into Mac OSX, just as it does on the other side. That is why Sun’s ZFS disk operating system will slowly be integrated and replace HFS+ journaling.

Apple has only 18 thousand non-retail personel. It needs to assign its priorities. You may disagree that Apple is not setting a high enough priority on this. but, you need to build a good case for any urgency. I did not see that case adequately built.

Also, it is properly something that a third party developer may make some money on. Apple can’t do everything or for free.

By: Jeremiah

Jeremiah — Thu, 28 Feb 2008 21:41:06 +0000

Louis: In this case, the issue isn’t even about security. The features may be useful, but they have nothing to do with Safari being insecure.

taras: I don’t have any experience in this area, but perhaps PayPal has some “plank in the eye” syndrome.

Asa: Thanks for the correction. I have noted Firefox’s exception above.

John P: Well said. Should PayPal have a legitimate security concern with Safari, I would understand its position. It doesn’t and the claim is silly.

By: John P

John P — Thu, 28 Feb 2008 20:45:34 +0000

Barrett’s comments are quite ignorant. Leopard and Safari have a security feature called code signing. Safari integrates with the keychain for secure storage of passwords. Leopard has sandboxing technology. Safari can use a proxy server for web browsing, which can provide protection against phishing. For a rundown of leopard’s security features, check the article at Tidbits:

http://db.tidbits.com/article/9251

OpenDNS is a straightforward bolt-on and provides phishing protection for the clueless. I don’t need it, but my girlfriend’s 12-yr old niece does.

By: Asa Dotzler

Asa Dotzler — Thu, 28 Feb 2008 19:35:48 +0000

I think you’re confused about Firefox’s Phishing Protection feature. Your sites are never sent to a centralized server for verification. Firefox uses a local blacklist, frequently updated, to compare the sites you visit so it all happens on your machine, and your URLs are never sent to a central server except, as you note, DNS.

- A

By: taras

taras — Thu, 28 Feb 2008 18:59:28 +0000

The problem is not that Safari doesn’t have anti-phishing tools. The problem is that Ebay/PayPal is doing little to nothing to improve the experience/security of its transactions. It is almost impossible to reach a human being with regards to any issue.