February 29, 2008

safari unsafe? paypal thinks so.

There's been a lot of coverage of the PayPal Safari kerfuffle over the last few days.

Dear PayPal, Safari Isn’t The Security Problem, Dear PayPal, Safari Isn’t The Security Problem, Paypal and Safari, PayPal excludes Safari from "Safer Browsers", PayPal is not making me feel safe, PayPal not an Apple fanboy, discourages use of Safari, PayPal On Security?, Paypal says avoid Safari, Paypal says avoid Safari browser, PayPal says NO to Safari, PayPal Says NO to Safari: We Say Take Responsibility for Your Actions, PayPal Says: Safari Is Not Secure, PayPal to Safari users: 'Ditch it', Paypal to Safari Users: Switch Browsers or You'll be a Victim of Fraud, Paypal warns buyers to avoid Safari browser from Apple, PayPal Warns Safari Users, PayPal: “Safari not safe” Huh?, PayPal: Safari is a little phishy, PayPal: Safari Open To Online Fraud, PayPal: Steer Clear of Apple's Safari, PayPal: Steer clear of Apple's Safari, Safari "lagging behind" on security, Safari browser does not get PayPal's stamp of approval, Safari Excluded from Paypal’s “Safer Browsers”, Safari Not Safe Enough For PayPal, Safari not secure against phishing, says PayPal, Safari unsafe for PayPal, Who's responsibility is security?, PayPal warns against using Safari because of its lack of anti-phishing technology

My take is that PayPal is just about right.

PayPal is probably the number one or number two target for phishing online (I'm basing this on the contents of my email spam folder) and so I can see where they'd want their users to have the best possible protection against phishing. Firefox 2 and IE 7 offer built-in, and in the case of Firefox, highly effective, phishing protection. Firefox 3 will offer major improvements in the usability and discoverability of site identity information, including but not limited to EV Certificate support. The combination of phishing protection and easier to discover and use site identity information is a powerful weapon against social engineering attacks like phishing.

Some folks have disputed the value of these tools to users. A few have even suggested that social engineering attacks like phishing aren't something a browser should attempt to thwart or mitigate -- that less sophisticated Web users deserve what they get. I couldn't disagree more with both of these points.

Jeremiah at his eponymous blog says "Phishing attacks are attacks on visitors, not technology. The solutions aren’t likely technical."

Brian Reilly at his "other" blog, says "I think you need to be more vigilant yourself rather than planning for Microsoft to save you by fixing their browser. Phishing is easy to spot if you pay attention. I don’t think I want to rely on my browser for that anyway."

Kevin Williams over at Almost Serious says, "I have to throw the sacred plaid Bullshit flag on this one. IE making the address bar turn green only serves to prove to me that IE developers can tell green from red or blue. Big flipping deal. Do they really expect me to believe that stupid IE users who blindly log in to anything that looks like a PayPal login page proves that IE is more secure? If anything, it tells me it is less secure, and used by idiots. Is there a web standard here, or is this a little bit of Tony Soprano at work?"

Mr. Mayor at Mactropolis said, "I think I can sum this whole argument up by simply saying… It’s time for all of us to take responsibility for our actions on the net. It’s true, unfortunately there are a lot of criminals out there ‘phishing’ for your paypal/bank logins out there… Gleaning private login info and stealing hoards of $$$ from the innocent. That’s awful and it sucks… But if we can step-up our own accountability and responsibility on this issue… There will be fewer victims and we’ll all be in a better place."

Jay Melton at his blog, scholar.jklmelton.net says, "Sorry PayPal, the problem lies in how people deal with email, not with the browser. Anyone clicking on any link in an email message is asking for trouble. If you need that link, copy it, paste it, and then read the URL carefully. If you don’t recognize the domain or the directories after it, don’t use it. You can get to the site using your bookmarks to be safe."

Tom Stovall at his blog, stovak.blogspot.com asks, "Who's responsibility is security? The expectation that a car manufacturer would build a car that would tell you when you're going to be car-jacked seems a bit far-fetched.... I understand too well how unreasonable the uneducated computer using hoards (READ 'windows users') can be.... If you're stupid enough to give your login information away, that's just darwinism in action. You are the slow antelope of the herd and as such, have been selected by nature for extinction."

The Phishing Protection feature in Firefox has already saved countless numbers from online fraudsters. I've seen this personally with friends and family and I've seen scores of blog posts from people thanking Firefox for saving them from scams -- many related to PayPal phishing.

To those who doubt the efficacy of EV certs based on a study of IE 7's current UI, are also pushing flawed information. Just because IE's implementation is less than ideal doesn't mean that Firefox's will be or that we won't see all browsers advancing the usefulness of EV cert features. And, in addition to the EV information, Firefox is also adding quite a bit more, easy to find and use, information about websites that will help people determine if they're at a legitimate or a phishing destination.

Finally, to those who say that less sophisticated users deserve what they get for not being more advanced, I say go jump in a lake. Not everyone out there spends the kind of time online that you do. Not everyone out there understands the details of the URI specification as well as you do. Not everyone out there is capable of understanding that even bad guys can buy a lock icon for less than $100 these days.

Just because you can spot a phishing attack doesn't mean that everyone else can or should and it is absolutely the job of the browser to correct the flawed "lock means you're safe" perception and the silly "learn how URIs are constucted" meme, with better site identity information and features like phishing and malware protection.

Now, back to PayPal. PayPal takes social engineered threats as seriosly as encryption or code flaws. It has to. Phishing is so much easier to pull off than cracking a browser or an encrypted client server session. Even lowering their exposure to these kinds of attacks by a fraction of a percent is a huge win for them, both financially and strategically. I think that PayPal is absolutely right to let its users know how to do the most they can to stay safe and secure online.

The Web has become a necessary part of the lives of more than a billion people worldwide. Web browser makers can and should be in the business of making the Web not just more "secure" but actually safer.

Posted by asa at 1:40 PM