Re: PayPal to Block Browsers
OH THE IRONY!!!!!
PayPal, which was suggesting they would start blocking certain web browsers in the name of improving security, has a ridiculously serious XSS (cross-site scripting) vulnerability on their own web site, and even the latest and greatest EV SSL won't help them - ie: the URL actually starts with https://www.paypal.com. Is obviously not a "spoofed" web site - it's an actual vulnerability on their own site which allows hackers to "easily steal credentials" (according to the person who discovered this vulnerability). Remember when just last month they were talking about how EV certificates protect people from phishing and that "everyone should use EV SSL"? :-) This should be proof positive that SSL certificate has nothing to do with whether or not one's site has 'secure' code on it that won't allow XSS or other injection type exploits.
You can read more about it here.
Announcement
Collapse
No announcement yet.
PayPal to Block Browsers
Collapse
X
-
Re: PayPal to Block Browsers
Originally posted by Biffy View PostThe EV SSL certificate costs $2,695.00 for a 2 year license or $1,499.00 for 1 year. You can upgrade an existing Verisign certificate but prices are not posted.
Jen
Leave a comment:
-
Re: PayPal to Block Browsers
I fail to see how paypal.com changing their site is going to stop phishing. The whole idea is to trick people into visiting a completely different site and thinking it is paypal.com; then harvesting their login and password as they enter it at the fake site that looks like paypal. They could be using version 1x of a browser to do that. The thief is then going to use that newly acquired info to empty the person's paypal.com account using a browser that IS acceptable at paypal.com.Last edited by wcw; 04-22-08, 04:30 AM.
Leave a comment:
-
Re: PayPal to Block Browsers
PayPal denies plan to block Safari
by Jonny Evans, Macworld-U.K.
Apr 22, 2008 12:23 am
Editor’s Note: The following article is reprinted from Macworld UK. Visit Macworld U.K.’s blog page for the latest Mac news from across the Atlantic.
PayPal has denied claims it plans to lock Safari users out of its online payments service as it reinforces its protections against online credit fraud.
It has been previously reported that the company intends strengthening its defenses against phishing attacks. Early reports indicating Safari may be affected by the company move to block users of older or less secure browsers were incorrect.
PayPal corporate communications spokesman Michael Oldenburg told 9 to 5 Mac: “PayPal is developing features to block customers from logging into PayPal when using obsolete browsers on outdated or unsupported operating systems. An example of such a browser/OS combination might be, for example, Internet Explorer 4 running on Windows 98. In doing so, we better protect our customers from viewing a phishing site through their browser. We have absolutely no intention of blocking current versions of any browsers, including Apple’s Safari, from our website.”
PayPal last week warned of plans to block PayPal users from accessing the electronic payment service if they are using older versions of web browsers as it continues its war against phishing attacks.
Phishing sites are designed to look like the legitimate websites of major brands such as banks and seek to elicit financial and personal information. Users are lured to the sites through unsolicited emails, or can unwittingly land on one if a phisher has bought a domain with a convincing-looking name or one with slightly different spelling.
Leave a comment:
-
Re: PayPal to Block Browsers
Actually, it's the Wall Street Journal that reversed course. Here's a quote from their website:
"Update: We just spoke to PayPal. It seems we in the media are reading too much into this. It will block people using old browsers and old operating systems, but contrary to many reports it will not block Apple’s Safari browser."
Wall Street Journal posting
The whole thing is caused by the obscure language in the original PayPal whitepaper. We still do not have a list of good and bad browsers, other than IE7 and FF3 are good. Are they just going to issue dire warnings to browsers they don't like? Are they trying to force merchants into buying the $1500 per year EV SSL certificate?
In short, not much has been cleared up that matters to Miva store owners.
Leave a comment:
-
Re: PayPal to Block Browsers
Looks like they reversed course today.
"Despite reports last week that it would be blocking transactions from going through on "unsafe" Web browsers, online payment service PayPal (paypal.com) clarified in a written statement on Monday that this is not necessarily the case.
http://www.macnn.com/articles/08/04/...afari.to.stay/
Eric
Leave a comment:
-
Re: PayPal to Block Browsers
There's been a little more come out.
The technology is called "EV SSL" which is a Verisgn product (naturally).
EV SSL FAQ
Support for it is being added to FireFox 3 and Opera. It will not work on any version of Safari. Verisign has written a module for FireFox 2 that adds support.
Support for IE 7 uses a software "updater" that runs during the payment process.
There is no support for IE 6 and none is planned.
The EV SSL certificate costs $2,695.00 for a 2 year license or $1,499.00 for 1 year. You can upgrade an existing Verisign certificate but prices are not posted.Last edited by Biffy; 04-20-08, 07:10 AM.
Leave a comment:
-
Re: PayPal to Block Browsers
sounds like its their funeral...certainly our inconvienance...but ultimately their demise
Leave a comment:
-
Re: PayPal to Block Browsers
"At PayPal, we are in the process of re-implementing controls which will first warn our customers when logging in to PayPal from those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe – usually the oldest – browsers."
The original paper does not list the bad browsers. The only one it says is "safe" is IE 7.
This is an in-house security technology that is not compatible with the signed signature technology being implemented as the global standards. It's possible and my fear is that PayPal will become a Microsoft-only payment processor.
A recent large website (WalMart Video) tried this MS-Only approach and failed. IE controls about 75%-80% of the browser market. Losing 20%-25% of sales iis probably not an option for most Miva storefronts.
It's hard to decipher the deliberately obscure language of the whitepaper. Who knows what it really means? One thing is sure - we'll keep an eye on the situation. Another thing is sure - PayPal has a poor history with ecommerce merchants (referrence the countless thousands of lawsuits) making them difficult to trust.
Leave a comment:
-
Re: PayPal to Block Browsers
I checked my site's statistics and found this usage for the period April 1 to April 19:
IE 4.01 2 sessions
Firefox 1.5.0.12 37 sessions
Safari 543 sessions (4.3%)
While the first two may be considered "negligible" I certainly don't consider the last one negligible.
What does the customer see when they arrive at the PayPal site from my site? A friendly "please upgrade your browser" wouldn't be too bad, but a refusal to connect would be terrible.
Leave a comment:
-
Re: PayPal to Block Browsers
The percentage shopping your site and using the browsers listed is probably negligible.
Leave a comment:
-
PayPal to Block Browsers
Tags: None
Leave a comment: