PayPal is in another stand-off with Apple over EV SSL (Extended Validation Secure Sockets Layer) certificates, but Steve Jobs & Co. may call the transaction service's bluff.
According to Ryan Naraine, PayPal is about to launch a whitepaper that advocates blocking transactions from browsers that don't have anti-phishing protection. This whitepaper is a thinly veiled attempt to get Apple to add EV SSL certificates to Safari.
PayPal's latest effort follows comments by CIO Michael Barrett in March.
Here's the whitepaper gist:
In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, Barrett said there's a "significant set of [PayPal customers] who use very old and vulnerable browsers" and made it clear that any browser that falls into the "unsafe" category will be banned.
"At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe—usually the oldest—browsers," he declared.
Ryan also quotes Barrett:
"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts."
So what are the motives here? PayPal--a huge phishing target--obviously wants more protection. It obviously wants EV SSLs, but Apple won't budge. The solution: Go public.
But is Apple really going to be pressured this way? Highly unlikely. PayPal seems to be hung-up on EV SSL certificates, but couldn't Apple meet anti-phishing requirements another way? Why wouldn't Apple just create lists of offending sites or warn users if a page is sketchy? Does Apple really have to buy into EV SSL?
Meanwhile, it's unclear whether PayPal would actually follow through on a Safari ban. PayPal isn't going to annoy Apple users. And it isn't going to turn off transactions on the iPhone either. In this stand-off I'd say the advantage is all Apple.