Filed under: Internet Tools, Security
PayPal says it won't block Safari
There's been some talk about PayPal blocking Safari from using its services, and I'm among those concerned about it... even if only from a convenience standpoint. Originally the news was gleaned from statements by PayPal Chief Information Security Officer Michael Barrett regarding browsers without phishing protection -- which most assumed included our beloved Webkit-based compass. But in a brief addendum to a post at the Wall Street Journal last week it was reported that -- while Paypal will be blocking older browsers (IE4-era) and older operating systems -- Safari is safe from the cut.
I'm relieved, at least from the previously mentioned convenience standpoint. I prefer Safari as my surfing browser1 and I frequently use PayPal. It's too bad that there are still a good number of sites that, while not blocking Safari, just plain don't work with it yet. Add to that some of the great plugins available for Flock/Firefox and you'll almost always find me with multiple browsers open. In much the way that the iPhone is preventing Gargoylism* by consolidating peripherals, I'm hoping for a day when I open just one browser in the morning. I'm getting a little teary-eyed thinking about it.
1Since I know it will be bandied about in the comments, I'd like to offer these reasons for preferring Safari: It's faster (in general). It's more elegant (or prettier, either way it's subjective). It's AppleScriptable (which I make daily use of). And it's more elegant (redundant, but worth mentioning again).
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
webmaster said 8:08PM on 4-21-2008
If someone can't figure out they're at 1123.123.23423/paypal instead of paypal.com they deserve to lose their money anyway.
Reply
Sam Hall said 8:46PM on 4-21-2008
I would say that people who blindly click on links from emails and enter their personal account info are "stupid", but my mother was taken like this and it is not polite to call your mother "stupid".
In a perfect world, people would be savvy enough to check this, but most users are not. Apple should add the anti-phishing capability in and be done with it.
As to Safari, I wholeheartedly agree. I tried FF3b for a while. Wrote about it here and here. Went back to Safari.
Reply
Sam Hall said 8:52PM on 4-21-2008
That would be here:
http://samrhall.com/2008/03/26/firefox-3-versus-safari-31/
and here:
http://samrhall.com/2008/04/12/and-the-winner-is-safari/
:)
Ed said 9:43PM on 4-21-2008
I did the same. Firefox is a great browser, and the best on any other platform, but you just can't match Safari on OS X.
Justin said 8:59PM on 4-21-2008
How do you use Applescript + Safari? (Not "how" as in how does it work.. but what do you use it for?)
Reply
Brett Terpstra said 9:47PM on 4-21-2008
Quite a few possibilities, given the ability to retrieve names and urls of any tab in any window, the ability to run javascript within any page, open and close windows and tabs, pull the source of a page, etc.
My #1 use of AS and Safari is within TextMate, where I can highlight text and hit a key combo to pop up a menu of all open Safari tabs, pick one and have the highlighted text link to that page with a title attribute. I've also recreated the feature as a ruby script that uses osascript to accomplish the same thing from other programs. I can also hit a key combo (FastScripts) to open a list of all tabs, select multiple list items and have it close those tabs or all but those tabs when I hit OK.
I call osascript a lot from other languages to incorporate the information you can retrieve from Safari into things like Scrivener, VoodooPad, etc.
It should be noted that it's possible to get *some* info from Firefox, it's just not fluid enough to make it worthwhile. This is starting to sound like its own post...
John from buffalo said 9:41PM on 4-21-2008
Damn straight motha-fsckr!
I would simply use the enable-debug tools, and set my browser signature to be sent in HTTP as IE 6.0. Stop that ....
Reply
Ed said 9:45PM on 4-21-2008
bash-3.2# fsck -mom
Rubbinz said 9:56PM on 4-21-2008
The whole idea of PayPal blocking any browser is just stupid. How does blocking a browser from the official PP site prevent some fool from blindly falling for a phishing scam? It doesn't, as the scam is taking place on a site not controlled by PP. All it does is prevent that fool from going to the real PayPal.
Reply
Ed said 10:05PM on 4-21-2008
The idea is to decrease the use of those browsers by idiots who use PP all the time but are too stupid to know phishing when they see it. Most such idiots would not know how to do anything except switch to a supported (with phishing protection) browser.
basscadet said 5:00AM on 4-22-2008
No Anti-Phishing apps support says it all. What Paypal wants to protects is users that wouldn't notice that small coma (,) at the end of a URL that would mask a fake URL.
Sabi said 10:01PM on 4-21-2008
I hate paypal...
seriously worst company ever for sellers.
I hope they disintegrate...
(sorry for the hate but it has to be said)
Reply
Mark Studdock said 11:14PM on 4-21-2008
nice Snow Crash reference.
Reply
theGeoffMeister said 11:51PM on 4-21-2008
Don't block Camino.
Don't block Camino.
Reply
Ed said 12:12AM on 4-22-2008
Change your user agent.
Change your user agent.
http://pimpmycamino.com/parts/user-agent
garbish said 12:02AM on 4-22-2008
What's all this cocoa and carbon all you douches are talking about, Heloooooooooo. DO YOU PEOPLE KNOW WHAT WINDOWS IS? Apes.
Reply
michas_pi said 1:20AM on 4-22-2008
Yes, we know what Windows is; it's a piece of shit :)
I kid, I kid.
Tom said 4:10AM on 4-22-2008
A bit late in the day, but I wondered who's responsible for the security of Safari?
Is it Apple of Webkit? I get the feeling it's Apple, and kind of hope that they'll realise it's a problem now it's all been through the news and do something about it...
Reply
Michael said 5:36AM on 4-22-2008
WebKit is the rendering engine Safari uses.
WebKit is open source, and Apple employees aren't the only ones working on WebKit. If someone else whose product uses WebKit finds a bug in the code that's a potential security problem, then he could submit a patch, too.
I don't know exactly who has or hasn't got commit access and how far that's controlled by Apple.
AFAIK, much else apart from the rendering engine that's used in Safari is closed source and specific to Apple. So only Apple employees will be concerned with that code.
Paypal's gripe with Safari, as I understand it, is that Safari does not support "Extended Validation". (You could look that up at Wikipedia, if you wanted to know more.) It's basically a scheme where a website will pay a helluva lot more for a special SSL certificate. There's more extensive vetting, and anyway, an EV SSL certificate costs more than a phisher would be likely to want to pay.
When a browser that supports these certificates reads one its address bar will go green. at one time only IE 7 supported EV, but now Firefox 3 beta does, too.
Go to Charles Schwab in FF3 beta if you want to see EV in action:
https://www.schwab.com/
Extended Valuation doesn't mean a lot to most people, because few sites use it -- not even many major sites that do a lot of online business, like Amazon. It's hardly surprising that Safari (and *release* versions of Firefox) and have not yet implemented the scheme.
However, PayPal uses EV certificates on its sites. I doubt IE users notice the green bar or know what it's for. But it sounds like PayPayl is pissed off at Safari, because it's paid for the damn certificates, and now it wants to feel its getting value from its purchase.
I shouldn't fret over it. There's not many sites using EV, and I'm sure Safari will get EV support at some point.
Jonathan Entwistle said 6:28AM on 4-22-2008
Plus, Safari is a Cocoa App which just means that it sits nice and seamless in OS X
Reply