homepage Welcome to WebmasterWorld Guest from 54.204.142.143
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
PayPal Thinking About Blocking Some Web Browsers
engine




msg:3630403
 10:43 am on Apr 19, 2008 (gmt 0)

Most controversial is the idea of blocking "unsafe" browsers, or browsers that do not currently include antiphishing tools. PayPal says it would first notify users when they log in if they are using an unsafe browser. Later, PayPal would simply block the use of the browser entirely.

PayPal is interested in enforcing new Extended Verification SSL certificates used by Internet Explorer 7 and the upcoming Mozilla Firefox 3. EV SSL highlights the address bar in green when the site has been certified. Other browsers, such as Apple Safari and Opera, do not currently include these protections.

Browsers not on the desktop could also be barred. On Monday, researchers cited the Apple Safari browser on the iPhone and Nintendo's use of the Opera on its DS and Wii gaming systems as lacking adequate antiphishing protection.

PayPal Thinking About Blocking Some Web Browsers [news.com]

 

mikedee




msg:3630421
 11:29 am on Apr 19, 2008 (gmt 0)

I am sure Safari and Opera will get this feature fairly quickly. The bigger news is that this could spell the premature death of IE6 if lots of other sites adopt this policy (lets hope so anyway)

bateman_ap




msg:3630434
 12:35 pm on Apr 19, 2008 (gmt 0)

The bigger news is that this could spell the premature death of IE6

Not quite I'm afraid. In the BBCs report they quote PayPal talking about IE3 and IE4 instead!

"Paypal said some users were still using Internet Explorer 3"

[news.bbc.co.uk...]

Receptional Andy




msg:3630443
 12:52 pm on Apr 19, 2008 (gmt 0)

If Paypal and others just stopped sending a barrage of HTML emails with prompts to login to accounts then there would be very little phishing problem. The rule is: don't use links in HTML email to login to sensitive websites. If you do, you'll get caught out eventually.

There's nothing wrong with the idea of EV SSL, since it does the verification that should probably be built into getting a cert anyway, but what's this got to do with phishing?

The overwhelming majority of phishing websites I've seen don't use SSL at all, so is there any reason to believe users will learn to look for a green bar if they don't currently look for a padlock or for any other warning signs?

mikedee




msg:3630447
 1:07 pm on Apr 19, 2008 (gmt 0)

"Paypal said some users were still using Internet Explorer 3"

Paypal meant that some users were still using browsers that reported themselves as IE3. IE6 does not support EV so it will be blocked if they go through with this.

I suppose once all browsers have EV support then they can plan a big campaign around looking for the yellow and green bar. EV should also make it impossible for someone to register a certificate for 'paypall'. Therefore you can guarantee to your users that they are on your site as long as they see "Paypal Inc. (US)" in the green part of the url bar.

willybfriendly




msg:3630550
 4:43 pm on Apr 19, 2008 (gmt 0)

"In 2006, researchers at Stanford University and Microsoft conducted a usability study of the EV display in Internet Explorer 7 [usablesecurity.org] (pdf). The study measured users' ability to distinguish real sites from fraudulent sites when presented with various kinds of phishing attacks, and found that there was no significant difference between users who saw extended validation indicators and those who did not. Users who received training with the Internet Explorer 7 help file were more likely to judge all sites legitimate, regardless of whether they were fraudulent."

[edited by: tedster at 4:57 pm (utc) on April 19, 2008]
[edit reason] add note about the link being a pdf [/edit]

jecasc




msg:3630583
 5:40 pm on Apr 19, 2008 (gmt 0)

Will phishing sites block unsafe browsers, too?

Whats the message here? If you can still login with your browser you must be on a phising site and not on Paypal?

balam




msg:3630584
 5:41 pm on Apr 19, 2008 (gmt 0)

> The bigger news is that this could spell the premature death of IE6 [...]

No, the bigger news is that this move by Paypal is going to affect your bottom line, which is why I started a thread about this in the Ecommerce forum.

I use Windows 2000, and therefore can proceed no further than IE6. (Please, allow me to remain blissfully unaware that I can use a different browser. ;) ) So, if I visit your site and try to make a purchase, what happens?

You lose a sale because Paypal discriminates against my browser. How cool is that?

Now, I'm smart enough to know that's not you imposing this browser apartheid, but what about your other potential customers? Will they understand the philosophy of, "We refuse to sell to you - it's for your own good"?

It's great that "we" advocate getting away from the "This site best viewed with..." philosophy, but it's terrible to move to "We'll only do business with you if you use..."

swa66




msg:3630589
 6:13 pm on Apr 19, 2008 (gmt 0)

I can only hope IE6 dies soon, it'll be the only way to get rid of the idiotic choices made in designing it (e.g. the "support" for CSS).

But that'll not kill off IE6, they seem to be dancing to Microsoft's tune.

EV brings nothing (unless you're a CA, or unless you're microsoft and need to draw attention away of your problems)

Buit-in browser anti-phishing ... I've actually tried to set it off to get a screen capture to use in awareness session. From al recent phishing samples I had in my mailbox *none* triggered any of them.

Paypal better change shoulder fast and do something that would matter in the long run. Eg. talk to their buddies at microsoft of making them drop ActiveX completely, it is, was and will be a bad idea.
Also they better look at themselves: stop sendign rich email with links in it. Tell customers to bookmark a portal URL and then in email you can tell them to use the bookmarked URL (dont even give it to them, hence you can teach customer not to use not to trust URLs in email.

IanKelley




msg:3630632
 7:34 pm on Apr 19, 2008 (gmt 0)

You lose a sale because Paypal discriminates against my browser. How cool is that?

That doesn't appear to be the case. They are talking about eventually forcing people with existing PayPal accounts to use a modern browser when they login.

People without PayPal accounts would still be able to go through the regular credit card buying process. People with existing PP accounts have presumably logged into their account at some point already and therefore have a compatible browser.

D_Blackwell




msg:3630688
 9:19 pm on Apr 19, 2008 (gmt 0)

it's terrible to move to "We'll only do business with you if you use..."

Not necessarily, especially if can be done with a sledge hammer that practically ensures adoption.

I use a few sites that require IE. I can use IE for those sites - or not use those sites. It's my choice in the end. A good non-IE solution will get a good look. Ir there isn't one, then I get to decide.

Nothing wrong with anybody in the chain establishing a required or expected standard if they've got the clout and/or nerve to see it though. If it doesn't work out - then maybe a bad decision. But - allowing ancient browsers (and similar issues) to persist far beyond their useful lifespan is the fault of 'professionals' that have 'lowest common denominator' to become ingrained into their being. Bad for everybody in the long run. Standards that aren't continually raised are typically continually degrading.

When a vendor/customer/client changes a spec with regard to expectations, I can go along or move along. A whole lot more people need to be moved along. Providers and users both.

fabricator




msg:3630855
 10:56 am on Apr 20, 2008 (gmt 0)

I agree with swa66, Paypal and e-bay are magnets for fraud given the nature of their customer emails. Blocking accounts and sending an urgent email is one bad example.

I have plugins and sites that I use which only work properly in IE6, which hope no hope of being upgraded for IE7 or FireFox for several years, if ever. So to hell with upgrading to 'please' PainPal.

GrendelKhan TSU




msg:3631452
 11:58 am on Apr 21, 2008 (gmt 0)

Browsers not on the desktop could also be barred.

what does that mean exactly? they mean desktop shortcut? +_+

penders




msg:3631457
 12:17 pm on Apr 21, 2008 (gmt 0)

>> "Browsers not on the desktop could also be barred."
>> what does that mean exactly? they mean desktop shortcut? +_+

Browsers not on the desktop could also be barred. On Monday, researchers cited the Apple Safari browser on the iPhone and Nintendo's use of the Opera on its DS and Wii gaming systems as lacking adequate antiphishing protection.

I guess that means the iPhone, Nintendo, DS and Wii are not considered to have a "desktop"?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved