I am sure Safari and Opera will get this feature fairly quickly. The bigger news is that this could spell the premature death of IE6 if lots of other sites adopt this policy (lets hope so anyway)

The bigger news is that this could spell the premature death of IE6

Not quite I'm afraid. In the BBCs report they quote PayPal talking about IE3 and IE4 instead!

"Paypal said some users were still using Internet Explorer 3"

[news.bbc.co.uk...]

If Paypal and others just stopped sending a barrage of HTML emails with prompts to login to accounts then there would be very little phishing problem. The rule is: don't use links in HTML email to login to sensitive websites. If you do, you'll get caught out eventually.

There's nothing wrong with the idea of EV SSL, since it does the verification that should probably be built into getting a cert anyway, but what's this got to do with phishing?

The overwhelming majority of phishing websites I've seen don't use SSL at all, so is there any reason to believe users will learn to look for a green bar if they don't currently look for a padlock or for any other warning signs?

"Paypal said some users were still using Internet Explorer 3"

Paypal meant that some users were still using browsers that reported themselves as IE3. IE6 does not support EV so it will be blocked if they go through with this.

I suppose once all browsers have EV support then they can plan a big campaign around looking for the yellow and green bar. EV should also make it impossible for someone to register a certificate for 'paypall'. Therefore you can guarantee to your users that they are on your site as long as they see "Paypal Inc. (US)" in the green part of the url bar.

"In 2006, researchers at Stanford University and Microsoft conducted a usability study of the EV display in Internet Explorer 7 [usablesecurity.org] (pdf). The study measured users' ability to distinguish real sites from fraudulent sites when presented with various kinds of phishing attacks, and found that there was no significant difference between users who saw extended validation indicators and those who did not. Users who received training with the Internet Explorer 7 help file were more likely to judge all sites legitimate, regardless of whether they were fraudulent."

[edited by: tedster at 4:57 pm (utc) on April 19, 2008]
[edit reason] add note about the link being a pdf [/edit]

Will phishing sites block unsafe browsers, too?

Whats the message here? If you can still login with your browser you must be on a phising site and not on Paypal?

> The bigger news is that this could spell the premature death of IE6 [...]

No, the bigger news is that this move by Paypal is going to affect your bottom line, which is why I started a thread about this in the Ecommerce forum.

I use Windows 2000, and therefore can proceed no further than IE6. (Please, allow me to remain blissfully unaware that I can use a different browser. ;) ) So, if I visit your site and try to make a purchase, what happens?

You lose a sale because Paypal discriminates against my browser. How cool is that?

Now, I'm smart enough to know that's not you imposing this browser apartheid, but what about your other potential customers? Will they understand the philosophy of, "We refuse to sell to you - it's for your own good"?

It's great that "we" advocate getting away from the "This site best viewed with..." philosophy, but it's terrible to move to "We'll only do business with you if you use..."

I can only hope IE6 dies soon, it'll be the only way to get rid of the idiotic choices made in designing it (e.g. the "support" for CSS).

But that'll not kill off IE6, they seem to be dancing to Microsoft's tune.

EV brings nothing (unless you're a CA, or unless you're microsoft and need to draw attention away of your problems)

Buit-in browser anti-phishing ... I've actually tried to set it off to get a screen capture to use in awareness session. From al recent phishing samples I had in my mailbox *none* triggered any of them.

Paypal better change shoulder fast and do something that would matter in the long run. Eg. talk to their buddies at microsoft of making them drop ActiveX completely, it is, was and will be a bad idea.
Also they better look at themselves: stop sendign rich email with links in it. Tell customers to bookmark a portal URL and then in email you can tell them to use the bookmarked URL (dont even give it to them, hence you can teach customer not to use not to trust URLs in email.

You lose a sale because Paypal discriminates against my browser. How cool is that?

That doesn't appear to be the case. They are talking about eventually forcing people with existing PayPal accounts to use a modern browser when they login.

People without PayPal accounts would still be able to go through the regular credit card buying process. People with existing PP accounts have presumably logged into their account at some point already and therefore have a compatible browser.

it's terrible to move to "We'll only do business with you if you use..."

Not necessarily, especially if can be done with a sledge hammer that practically ensures adoption.

I use a few sites that require IE. I can use IE for those sites - or not use those sites. It's my choice in the end. A good non-IE solution will get a good look. Ir there isn't one, then I get to decide.

Nothing wrong with anybody in the chain establishing a required or expected standard if they've got the clout and/or nerve to see it though. If it doesn't work out - then maybe a bad decision. But - allowing ancient browsers (and similar issues) to persist far beyond their useful lifespan is the fault of 'professionals' that have 'lowest common denominator' to become ingrained into their being. Bad for everybody in the long run. Standards that aren't continually raised are typically continually degrading.

When a vendor/customer/client changes a spec with regard to expectations, I can go along or move along. A whole lot more people need to be moved along. Providers and users both.

I agree with swa66, Paypal and e-bay are magnets for fraud given the nature of their customer emails. Blocking accounts and sending an urgent email is one bad example.

I have plugins and sites that I use which only work properly in IE6, which hope no hope of being upgraded for IE7 or FireFox for several years, if ever. So to hell with upgrading to 'please' PainPal.

Browsers not on the desktop could also be barred.

what does that mean exactly? they mean desktop shortcut? +_+

>> "Browsers not on the desktop could also be barred."
>> what does that mean exactly? they mean desktop shortcut? +_+

Browsers not on the desktop could also be barred. On Monday, researchers cited the Apple Safari browser on the iPhone and Nintendo's use of the Opera on its DS and Wii gaming systems as lacking adequate antiphishing protection.

I guess that means the iPhone, Nintendo, DS and Wii are not considered to have a "desktop"?