Apple should call PayPal's bluff

Apple should call PayPal's bluff

Summary: PayPal is in another stand-off with Apple over EV SSL (Extended Validation Secure Sockets Layer) certificates, but Steve Jobs & Co. may call the transaction service's bluff.

TOPICS: Security, Apple, Browser

PayPal is in another stand-off with Apple over EV SSL (Extended Validation Secure Sockets Layer) certificates, but Steve Jobs & Co. may call the transaction service's bluff.

According to Ryan Naraine, PayPal is about to launch a whitepaper that advocates blocking transactions from browsers that don't have anti-phishing protection. This whitepaper is a thinly veiled attempt to get Apple to add EV SSL certificates to Safari.

PayPal's latest effort follows comments by CIO Michael Barrett in March.

Here's the whitepaper gist:

In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, Barrett said there's a "significant set of [PayPal customers] who use very old and vulnerable browsers" and made it clear that any browser that falls into the "unsafe" category will be banned.

"At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe—usually the oldest—browsers," he declared.

Ryan also quotes Barrett:

"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts."

So what are the motives here? PayPal--a huge phishing target--obviously wants more protection. It obviously wants EV SSLs, but Apple won't budge. The solution: Go public.

But is Apple really going to be pressured this way? Highly unlikely. PayPal seems to be hung-up on EV SSL certificates, but couldn't Apple meet anti-phishing requirements another way? Why wouldn't Apple just create lists of offending sites or warn users if a page is sketchy? Does Apple really have to buy into EV SSL?

Meanwhile, it's unclear whether PayPal would actually follow through on a Safari ban. PayPal isn't going to annoy Apple users. And it isn't going to turn off transactions on the iPhone either. In this stand-off I'd say the advantage is all Apple.

Topics: Security, Apple, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Isn't the larger point, ....

    ... why wouldn't Apple simply comply? It would seem that anything that protects their customer's from fraud is a good thing. Why does it always have to be Apple's way or the highway?
    • What advantage does EV SSL Cert's...

      offer over the standard certs ??
      • What does it matter(nt)?

        • I guess it matters because...

          ...PayPal is trying to force another company to (financially)
          solve it's problems. The fact is PayPal as a service has a
          minimum protection system for its members; it's nothing
          more than a ID and a password. There is no secondary
          security like banks use. Both my Bank of America and
          Merrill Lynch accounts use secondary security methods on
          their web sites, and there, we talking about hundreds of
          billions of dollars at stake. They've got no problems noted
          w/ Safari, in fact, they recommend it for Mac users.

          Think of this would you respond if your
          neighbor told you to chop down a tree in your yard
          because its shade is killing his grass? Surely, you can chop
          down the tree easy enough, but are going to? 'nuff said!

          • true... why not add the second layer of protection from the PayPal side?

            all my banks do that too.. you have an unique identifying phrase and
            an image... you go there and you don't see that... you know it's

            i don't think it excuses Apple from not considering anti phishing
            protection in their browser but to me... this really sounds like PayPal
            saying it's THEIR way or the highway, not Apple... because they have
            options that they could easily implement but they haven't... with the
            double layer of protection that banks use everyone is protected.. with
            PayPal's solution of choice only some are protected and others are
            unprotected or excluded... seems to me like it's PayPal that needs to
            get their own house in order before the go knocking on other
            people's doors..
          • This isn't pistols at dawn

            I'm going to expect, as a customer, that any effective
            scheme that increases the ability of two parties to avoid
            fraud over a networked transaction will be incorporated
            into the browser.

            But it is a readily observed truth that much of what is sold
            as security is security theater. And we've also seen
            security/authentication schemes that were thinly disguised
            attempts to insinuate vendor control and tool-booth fees
            into the world wide web and email.

            I'm not prepared to say Apple do this or PayPal do that or
            to map poker player motives onto either party. Face to face
            sales are fraught as it is. There is a belief that technology
            may somehow sublimate the additional complexities of two
            parties transacting over the network. I don't know. I don't
            know and I'm guessing not.

            In the meantime, security is not easy and we shouldn't be
            so excited when every two months another silver bullet is
          • Actaully Paypal offers a very good secondaty...

            protection in the form of key fob, it provides a random(Pseudo Random) 6 digit number that is typed in after your password.
            So if someone gets your ID and password they still need the Key Fob. This solves the issue much better than EV SSL
          • We are talking about server authentication

            Preventing phishing attacks requires stronger _server_ authentication, NOT client authentication.

            The EV-SSL certificates are all about creating greater security and trust in the server, so users don't go to a "bad" (aka phishing) website (impersonating their bank, etc.) and enter their credentials or other personal information.

            The secondary authentication you describe is client authentication and does _nothing_ to prevent phishing or man-in-the-middle attacks. The banks and financial institutions already know this, but this secondary client auth can be better than nothing, besides, it was mandated by the FFIEC so the banks and FIs really had no choice in the matter. Most banks and FIs use other types of fraud detection mechanisms "behind the scenes" to protect your account.
  • Blaming the victim

    This is nothing more than pay-pal attempting to blame the
    victim for their screw ups. EV-SSL will not fix pay-pal's
    security problems.
  • I applaud PayPal for trying to help the Internet

    The PWN to OWN contest proves that OS X is the [b]least[/b] secure OS in the world, being hacked in [b]two minutes!![/b] PayPal is simply standing up for those who have been fooled by Apple's lies when they sold you the lie that OS X was immune to all malware. Hopefully those poor victims will heed PayPal's word and start seeking alternatives. The good thing is that neither the OSS community nor Microsoft have [b]artificially[/b] or [b]onerously[/b] restricted their OSs to only run on the hardware that they themselves sell so guess what Mac owners: [b]YOU HAVE AN EASY SOLUTION!![/b] Wipe OS X, the OS that was hacked in 2 minutes, and install a secure OS. Then you can thank the developers of your new OS for not being anti-competitive and granting you the privilege of using their OS even though you didn't buy your hardware from them.
    • NonZealot, wow childish prattle...

      It doesn't matter what OS one uses it will become hacked.
      However, notice there isn't one virus for OS X in the wild.
      How many viruses are in the Windows realm? How much
      malware exist for Windows? How many hacks have hit
      Windows? The questions could continue. How many viruses
      were for Apple's classic OS, 50 perhaps? There are security
      articles that say from the web Windows can be hacked in
      15 seconds. Though it shouldn't happen it happens, that's
      life in the computing world.. What's your point, you ranting
      without substance or again starting a fight.

      Yes OS X was hacked in two minutes, it has since been
      fixed. As long as the issues are addressed, Window, Mac,
      Linux, Unix and the like, then fixed, honestly it doesn't

      What's wrong with Apple designing their own equipment
      then making the OS X to best run on it? Apple designs
      both for their systems, seems to work better. Think about
      it, in the Windows world someone makes the hardware,
      someone else makes the OS, both are fighting among
      themselves. Is that better? I think not, but it happens, oh-
      well. You don't want an Apple don't purchase one but,
      don't childishly put folks down that prefer Apple.

      Now don't give me the story that Windows computers are
      more inexpensive than Apple. All the PC makers make
      both very inexpensive and, quite expensive computers, go
      beat them up for their pricing as you do Apple. Mercedes,
      BMW, Bentley, etc. cost more than a Chevy. Purchase what
      you want then enjoy it.

      You use Windows it works for you, you're happy with it
      that's a good thing for you. Now add some substance to
      these boards.
      • Fodder

        Marcos El Malo
    • Crawl back under your rock. Please... (nt)

    • NO OS was hacked in that contest...

      ... that happened on day one.. and NO OS was hacked.... on the
      following days a Mac and a PC running windows were hack by
      exploiting vulnerabilities on software on those computers (Safari
      on the Mac and Flash on the Windows machine).. i.e. no vulnerabilities in any of the OSs in the competition were
      exploited.. NONE! both vulnerabilities on Mac and Windows
      machines have since been patched and don't exist anymore.

      please get a clue! and a life! and please do us all a favor and
      start taking your meds again... PLEASE! not really for us, do it for
      • Actually, the vulnerability...

        was in the open source WebKit, which has since been

        It could have been used against the Vista machine, as well,
        but obviously, he wanted the Apple, not the Sony.
        • Good Amplification

          I'm far more concerned about wi-fi and rich internet
          application programs leading to my systems being
          compromised than with the threat from any particular
          operating system.

          I remember jumping up and down about how wrong it was to
          mix data with executables and here it is we painted ourselves
          into the same corner with web pages, javascript and plug-
      • If Safari was the entry point

        and Safari is a part of the default installation, how can you say the OS was not hacked?
        Michael Kelly
        • Although it is part of the default installation...

          it can be removed. There are many people who use
          alternative browsers on the Mac, both WebKit and Mozilla
          based (both open source).

          Since the same vulnerability existed in both the Windows and
          OSX version of WebKit, I wouldn't call it an OS hack.
          • I sure would

            If two banks bought vault doors from a the same company and those doors were found to be able to be unlocked by a leaked master combination, I'd say both banks were insecure. Wouldn't you?
            Michael Kelly
          • An OS is not a bank.

            Stupid analogy, sorry.

            WebKit is not part of the OS. The vulnerability was in WebKit.
            Any WebKit-based browser on OSX or Windows was
            vulnerable. The patch was to WebKit.

            If we were to stick with your analogy, would you rebuild the
            vault, or fix the doors?