PayPal is to block any browsers that do not support the Extended Validation SSL Certificate in a move designed to curb phishing. This means that people using older browsers – PayPal says it still sees people using the ten-year-old Internet Explorer 3 – will be blocked from the site, and developers such as Apple will have to move rickety tick to implement the standard into newer browsers, such as Safari.
The move was outlined in a white paper written by PayPal’s chief information security officer Michael Barrett and director of risk management Dan Levy.
EV SSL certificates require a more stringent form of validation than some other types of SSL that use domain validation only, rather than being properly vetted as intended. As most browsers can’t tell the difference between a low-grade and a really secure SSL connection, with the browser simply displaying the magic padlock that surfers have been trained to look for on any site with SSL. Phishers therefore have begun to add SSL certificates to their dummy landing pages, adding another layer of credibility to their scams.
With EV SSL the validation is much more stringent, and browsers that support it show the address bar turning green to indicate that a secure EV SSL connection has been made. "By displaying the green glow and company name, these newer browsers make it much easier for users to determine whether or not they’re on the site that they thought they were visiting," the white paper said.
Most current browsers, including IE7, Firefox Beta 3 and higher and Opera 9.5 support the standard, or are implementing full support. Safari does not currently support EV SSL, but it likely will have to with this move by PayPal that will likely see other online merchant sites following suit.
PayPal will at first warn a user if he or she is using a browser that does not support EV SSL. If the user persists using the unsecure browser, they will be banned from the website until they upgrade. The main culprits would be legacy versions of Microsoft’s Internet Explorer.
The industry has been looking for ways to coax users to upgrade to newer and more secure browsers, and developers themselves have been making big strides in making their products less scam-prone. IE7’s much-touted anti-phishing feature includes EV SSL as a critical component. It seems that simple advice to download the latest version of whichever browser a user is on has not worked. Now if a user is on IE6 or an old version of any other browser, they will be advised to upgrade every time they visit PayPal ; and eventually forced to upgrade if they wish to continue using the service.
"In our view letting users view the PayPal site on [an unsafe] browser is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts." Sometimes you have to be cruel to be kind… And this isn’t being that cruel.