PayPal Denies It Will Block Safari

Despite reports that PayPal may drop support for Apple's Safari browser because it lacks anti-phishing features, PayPal now says it ain't so. Though PayPal telegraphed displeasure with Safari last January, they're now unambiguous about their position: "We have absolutely no intention of blocking current versions of any browsers, including Apple's Safari, from our website."

Current versions?

[calebt3]

So up-to-date Lynx, Links2, Dillo, etc are all perfectly acceptable?

Re:Current versions?

[menace3society]

I think the point is that they won't specifically block them. They will block browser programs that are known to be unsuitable, like the Netscape 2, or IE 4, or Mosaic.

However, if you use browsers don't support plug-ins/protocols/captchas/whatever that paypal demands of the browser, you may still be SOL.

In short: I expect there will be a black-list of unacceptable browser versions, rather than a white-list of accepted browser versions.

Backpedaling faster tha you can say...

[Fluffeh]

Wowsa, that change is quicker than it takes the read the following:

Previous: "We know better than you do about what you should and shouldn't be using, so we will stop you possibly getting yourself into trouble."

Current: "Wow, there are so many of you that are quite happy to be wrong that we think you better be allowed to get yourselves into trouble."

My interpretation: Right or wrong, the masses will always win it seems.

Re:Backpedaling faster tha you can say...

[cheater512]

They never said that they'd block it in the first place.
They said that they would block the insecure browsers.

Specifically browsers like IE 5.5 which is old and should never be used anymore.

Re:Backpedaling faster tha you can say...

[gmack]

This has the fun advantage of making life easier for people designing websites. Fewer old browsers out there means you don't need as many stupid hacks to make it all work.

Re:Backpedaling faster tha you can say...

[Fluffeh]

There were quite a few indications that Safari would have been included in the list of browsers that no longer were supported:

Ars link
Anti Phishing Block

So, the general meaning of "so we will stop you possibly getting yourself into trouble" really wasn't wrong. Just because you don't type it in with black and white fonts doesn't mean you don't mean it.

"Lets put this out and check public reaction before we make it 100% official.

Re:Backpedaling faster tha you can say...

[dbIII]

That's a bit of a pain for those of us that have upgraded from Vista to OS X 10.3.

It looks like only those that have upgraded from Vista to Win2k are being supported.

Re:Backpedaling faster tha you can say...

[CastrTroy]

From what I read, they said they would block browsers which didn't have detection of phishing sites. That includes Safari, and quite a few other browsers which would probably be otherwise considered secure.

Re:Backpedaling faster tha you can say...

[kc2keo]

I'll drink to that!

Re:Like I care ?

Real men FedEx cash.

Are you sure?

[TheRealMindChild]

they're now unambiguous about their position "We have absolutely no intention of blocking current versions of any browsers, including Apple's Safari, from our website."

It still sounds ambiguous to me. They could certainly mean "We will not target Safari by name, but we will just make you install a plugin that we know Safari can't use".

Re:Are you sure?

I work for PayPal, so I'm getting a kick out of these replies. Some of you guys are very good at making it sound like you know what you are talking about.

But trust me.... You don't.

I think you just want to make yourself sound smart, when in reality you don't know what you are talking about.

This is how bad info gets passed around.

If you don't know about the topic....Don't make yourself sound like you do.

PayPal's only motivation in blocking Safari is to keep the gays out. That's all. Don't paint any sinister motivation. That's just good business sense.

Re:Are you sure?

[Admiral+Ag]

They can't afford to block Safari, not because of the Macintosh or Windows version, but because of the iPhone/iPod Touch version. The latter is rapidly becoming the standard for mobile browsing (or at least has such a large share that it cannot be ignored).

The increasing popularity of mobile browsing is an opportunity for Paypal to act as a mobile digital wallet. There's certainly no point in carrying a debit card if you can just use your phone. I'm guessing that is Paypal's aim. Whether or not they can beat the banks to direct money transfer is debatable though.

Re:Are you sure?

[Hal_Porter]

Yeah, Safari is great on the iPod touch. I can browse to a web page to jailbreak the machine.

I can't imagine why anyone would think it was insecure.

Re:Are you sure?

[Admiral+Ag]

Then it is in Apple's interest to work with companies like Paypal to improve security. This is a case where market incentives can provide a solution. Of course it ought to be done in such a way that doesn't prevent people from jailbreaking their units if they want to.

Re:Are you sure?

[Hal_Porter]

Of course it ought to be done in such a way that doesn't prevent people from jailbreaking their units if they want to. How will that work? The iPhone was supposed to be locked down like a cellphone and the Touch inherited that. If you can jailbreak a machine you can also run arbitrary code on it by definition. Which means it is insecure.

Re:Are you sure?

I work for PayPal ... Don't ever shave your head then.

The "666" will show.

Re:Are you sure?

[slashdot4ever]

You are new here aren't you?

Re:Are you sure?

[TheSkyIsPurple]

Dude... this isn't Fark /Random slashie

Re:Are you sure?

They can't afford to block Safari...

And they don't need to. Steve Jobs reality distortion field automatically negates phishing. However unlike all other anti-phishing techniques, instead of patching the browser, this method patches the user. So never fear, you are safe...

Re:Are you sure?

[xaxa]

The increasing popularity of mobile browsing is an opportunity for Paypal to act as a mobile digital wallet. There's certainly no point in carrying a debit card if you can just use your phone. I'm guessing that is Paypal's aim. Whether or not they can beat the banks to direct money transfer is debatable though. But there's hardly any inconvenience through carrying a debit card anyway...

Having said that, in Japan some phones have transport passes integrated into them, and in London there's an integrated transport pass, credit card and RFID 'small purchase' card (for buying coffee etc), though I'm not sure how well the latter is catching on, I haven't seen anyone with one yet.

Paypal would have to reduce their fees a lot to gain much use by retailers, but maybe that will encourage the card processing companies to reduce their prices too.

Re:Are you sure?

[RiotingPacifist]

I work for the federal bank of Nigeria, i would like to inform you that a recently deceased prince, left 500 mod points in his acount. No one will ever come forward to claim them and according to The Law of Nigerian Government, at the expiration of 10 years the, Money will revert to the Ownership of the Nigerian Government. We decided to contact you to assist me in claiming these mod points for safe Keeping and investments on her behalf as everything will be taken over by the government as provided in section 129 sub 63(N), Africa Banking Edit of 1961.
This prompted us to contact you. In exchange for passing on you slashdot account details you will be credited with 10% of the mod points, The Transaction is 100% Legal and totally free of risks as all modalities has been Perfected to ensure the hitch free success of the Transaction, however due to some security risks we can only accept applicants who are using an recent version of Mac os X

I look forward to hearing from you http://www.slashdot.scam.nig/

Re:Are you sure?

[Hal_Porter]

I wonder if you could make a OS X exploit that works on both ARM and x86. You'd need to find a sequence of four bytes that was a NOP or something harmless on one architecture and a jump on the other?

I was thinking of something like this

0x67 0xE9 Lo Hi

Which is a jump rel16 on x86, overriden by the address size prefix. On a little endian ARM this looks like this

0xHiLoE967.

Now if rel16 was negative and between 0 and -256 I could make it Hi=0xFF. Which used to mean NV, i.e. the instruction would be a NOP regardless of the other bits. Unfortunately NV is deprecated and the instruction space is used for new instructions. Which makes this code harder to write. It's probably possible though.

Re:Are you sure?

[mr100percent]

That was in the 1.1.1 version, last year. Apple patched it up pretty quickly and the mobile apps are also running as a different, non-root user.

Re:Are you sure?

[Hal_Porter]

Hmm so many people have told me.

But how can jailbreak my iPod touch after I upgrade?

You know it would be good for security if the touch wasn't sold 'jailed'. Then I wouldn't depend on security holes to be able to install third party applications.

At home I have a PC and I can install things since I have local access. But I can still patch the machine so random people on the internet can't install things. This is actually quite useful. Ironically enough for most people an unpatched iPod touch is actually the reverse of this. They can't install applications because they aren't geeky enough to work through the jailbreaking process. But websites they visit could easily put a malformed TIFF somewhere and steal their passwords.

Re:Are you sure?

[Tony+Hoyle]

There are lots of other bugs, including what looks like a design flaw in trustzone that allows pwnage to work (trusted code has to call back to untrusted code to do various things).

Safari (and other applications) no longer run as root.. it took them until 1.1.3 to fix that but they eventually did.

Re:Like I care ?

[RuBLed]

Spot on! And you can track where your money is.

*ducks*

When I heard...

[v(*_*)vvvv]

they were going to deny certain browsers, I said the terrorists won.

I take it back. PayPal are the terrorists.

Re:Wish Apple Would Fix it

[JustCallMeRich]

I wish apple would fix Safari (and Mail too) to better display the actual targets of links. View menu - Show Status Bar.

Now you have a little bar at the bottom of Safari that shows you the actual target of links.

People still use Paypal?

I closed my Paypal *and* eBay accounts when eBay said you HAD to accept Paypal in order to sell stuff and Paypal said they would hold payments for 21 days. Hated to see all that positive eBay feedback go, but I don't like being dicked around by corporate bozos.

There are so many other alternatives to Paypal that I don't see why people bother with it.

Re:People still use Paypal?

[dgatwood]

If/when they do this in the U.S., I will stop using eBay. I'm no longer gong to deal with PayPal after the fiasco on a group buy I've been involved with.

Backstory: A bunch of us on a home recording bulletin board set up a group buy to purchase microphones, preamps, shock mounts, etc. from a manufacturer in China. This is about the third or fourth group buy organized by the same person, so his reputation is darn near unquestionable.

After order taking was done, we got sabotaged. Someone (who we strongly suspect works for a company that imports from this vendor and sells at a huge markup) signed up for a Yahoo email account and joined the group buy and requested a small item. Once about 10% of the people had paid their invoices, this person paid for the item, then sent in a claim to PayPal. The problem is that this person claimed to be a member of a bulletin board, yet that person has never been a member of the board in question. So basically the whole complaint was one giant fraud, and we're pretty sure we know who did it, as they have tried to sabotage group buys in the past....

Since the complaint was filed, PayPal's story keeps changing. First, they said that the person claimed he hadn't received an invoice, which is absurd, but easily rectified if the person had contacted anyone involved. Next, PayPal provided lots of details about how the group buy worked (way more than you would normally expect) and said that it wasn't a type of transaction that they wanted to deal with. That I could believe, but it isn't a violation of their TOS as best I can tell. Finally, they claimed that someone had claimed the product was "not as described", which is pure comedy since the manufacturer hasn't started making the products yet. Basically one half truth after the next (and even that half is giving PayPal the benefit of the doubt...).

After about a week of this crap, PayPal finally released everyone's funds. Fortunately, this time, one of the people they were screwing was friends with a highly placed executive at PayPal, so we had some leverage to get the situation expedited and get our funds back in a timely fashion. The last time PayPal screwed over a group buy, it took several weeks before we got our money back. (Yes, these dirty tricks have happened before thanks to a certain company who will remain nameless at least until I can prove it was them---if anybody in Yahoo's mail team would be willing to help with this, you'd have about 400 fans for life....)

Unfortunately, however, the person who set up the group buy had received another payment for an unrelated sale and needed the money to pay his taxes. His account is frozen for something like six months, after which he'll get his money and his account will be closed... all because of a single complaint by someone who could not provide one shred of documentation of any communication with the seller prior to filing the complaint.

Having seen how PayPal treats sellers, I'm no longer inclined to do business with PayPal. If I can't trust them to hold up their contractual obligations and do so in an equitable and reasonable fashion, then why should I trust them with my hard-earned money? I'm not protected any better than I used to be back when eBay sales all happened with cashier's checks, so why should PayPal be getting a cut if they aren't providing any real additional protection for the transaction?

At this point all I can say is this: PayPal Sucks, and if you deal with them long enough, you will eventually get burned. It's just a question of when.

Re:People still use Paypal?

[SirJorgelOfBorgel]

Yup, PayPal definitely sucks.

I run a business, about a month ago we started to accept PayPal as payment (while waiting for our own merchant account to clear). We made about $17k in a week. We transferred the first $7.5k to our bank account (thank god!) after a day or two. After no more than seven days, PayPal closed our account, without giving any reason.

After having our lawyer write some letters to them (they didn't respond to us ourselves at all), and PayPal giving several different and evasive andwers, it came out that the 'contact person' for our business account had once ordered something of an erotic nature with PayPal, and that is against their agreement.

Now, several things are wrong with that. I won't go so far as to say that person has never bought erotica, I don't know and really don't care. What is definitely wrong with that, though, is that said person has only made two PayPal payments in his life and they weren't related to erotica (yes I am sure of this). Furthermore, PayPal mentions accounts that do not actually exist and never have. It's complete BS.

What else is wrong with that, how the hell can they close a business account because they do not like the contact person's personal account. Since when is a company responsible for their employees' private actions? What's worse, their allegations aren't even true.

So now PayPal is sitting on $10k of my money I desperately need, without a valid reason. They refuse to clear it, they refuse to discuss it. They have even refused giving us the 'offending' transaction details (how the hell can we dispute anything if we don't have access to the data?) - lawyer is dealing with that, though.

All in all, the money, the lawyer costs, the lost customers, reputation damage, etc, are now easily more than a $50k loss for us.

Should you read this and be a no cure no pay type lawyer (hey, PayPal got my money) in the UK, feel free to drop me a line so we can talk about sueing PayPal's pants off (our company lawyers cannot help us there, as PayPal Europe operates under English law and we're not from England).

Hey, I thought it wouldn't happen to me. But yeah I got burned. Doing business with PayPal is an accident waiting to happen...

Re:People still use Paypal?

[jrumney]

Paypal Europe operates under Luxembourg law now, and they are a bank, so subject to whatever requirements Luxembourg puts on banks for handling disputes and account closures. Fire your lawyer and get a new one, as they are clearly incompetent if they have not figured this much out yet.

Re:People still use Paypal?

[Spatial]

Wait... Paypal isn't regulated? What the hell? How can a company who deals with stuff like this not be accountable to anyone?

Re:People still use Paypal?

[petermgreen]

There are so many other alternatives
How many of them have the international presense and existing userbase that paypal does?

Yes paypal charges fees but paying both the foriegn transaction fee on my debit card AND bidpays fees is a lot more expensive.

and the price for a bank transfer from my british account to a german account was stupidly high (I ended up sending cash through the post for that transaction because that was the only mutually acceptable method that the seller and I could come up with).

Re:People still use Paypal?

[dgatwood]

Hey, I thought it wouldn't happen to me. But yeah I got burned. Doing business with PayPal is an accident waiting to happen...

And the sad thing is how many people say just that. We read the stories and assume it's just a fluke---that it can't happen to us---but in reality, it can, and almost every person who PayPal screws is someone just like us. PayPal is basically the internet equivalent of a tumor. Most of the time, it's benign, but in those few cases, by the time you notice that it isn't, it's too late.

In my "loathe" pile, PayPal now sits lower than Verizon, and I never imagined I could find a company I loathed more than a telco.

Re:People still use Paypal?

[makomk]

Are you trolling or did you just not read the comment? The whole point was that the person who was doing the actual purchasing for the group buys was honest and did their part, but someone put in an order for a part in the group buy then made some blatantly false claims, and Paypal majorly (and unjustifiably) screwed over the person doing the purchasing as a result (which was probably the reason for the false claims in the first place).

Re:People still use Paypal?

[Walter+Carver]

Tell me the alternatives. I am not trolling, I just want to know.

Trying with Lynx:

[SanityInAnarchy]

lynx https://www.paypal.com/
SSL error:no issuer was found-Continue? (y) y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: cookie_check=yes Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: navcmd=_home-general Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: navlns=0.0 Allow? (Y/N/Always/neVer)y
# FINALLY there's a homepage. "Member Log In" is on the second page.
SSL error:no issuer was found-Continue? (y) y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
Refresh: 1 seconds
https://.../
SSL error:no issuer was found-Continue? (y) y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y
www.paypal.com cookie: (censored) Allow? (Y/N/Always/neVer)y ...

Ok, if I'd hit "a" to those cookies, it would've been a lot better. And there are a fscking LOT of cookies.

Now, I haven't actually tried to do anything with it so far, but I suspect that it would, in fact, work just fine. It's curious that it doesn't like the SSL -- I suspect that's a problem with my version of Lynx, as Firefox and Konqueror don't give me any SSL warnings. But other than that, Paypal isn't doing anything to block Lynx, and it looks reasonably navigateable.

Re:Trying with Lynx:

[JackieBrown]

It works fine in elinks

Re:Trying with Lynx:

You're using the Vista Lynx.

Re:Trying with Lynx:

[CastrTroy]

I wonder why they set so many cookies. Why not just have a single session cookie, and keep all other session values on the server? It must create a little extra traffic having to send back all those cookie values on every single request. Cookies have their use if you have no server-side scripting support, like on the old Geocities and Tripod hosting services, but I don't see much of a use for them otherwise.

Re:Trying with Lynx:

[SanityInAnarchy]

Nah, Lynx was always like that...

Oh my god.

That's where Microsoft got UAC from! Combine lynx with sudo, and... *shudders*

Re:Trying with Lynx:

[yuna49]

Firefox lists eleven cookies from PayPal, only a few of which are session cookies. The rest all have expiration dates a decade or two from now. I presume some of these are used to track my behavior over longer periods for whatever advertising or marketing value this information might provide. Some seem rather weird though like a cookie called simply "Apache" with a 2037 expiry. Will we still be using Apache in 2037?

There's also a paypal.112.2o7.net cookie, which I find more obnoxious than PayPal's own.

Re:Trying with Lynx:

[SanityInAnarchy]

Some seem rather weird though like a cookie called simply "Apache" with a 2037 expiry.

That's interesting, given that the Unix Epoch expires late January of 2038.

That isn't a difference based on browser

[patio11]

Its a difference based on whether you have a Paypal cookie on your system. If you do, they push the paypal option, since that means you move money from one Paypal account to another and Paypal gets an interchange fee but doesn't have to pay anything. If you don't, they give the credit card equal billing, since they know that maximizes the odds of them getting a transaction, even if they have to kick back most of their interchange fee to the credit card.

Since your IE and Firefox cookies are not shared, my guess is that you haven't logged in on IE recently. Try logging in for both browsers then logging out and attempting a purchase. You'll get identical behavior.

Disclaimer: IANAEOP (I am not an employee of Paypal) but half my business runs through them.

Re:PayPal does treat some browsers differently

[Auckerman]

My suspicion is that when PayPal deals with browsers that are not "up to snuff", there will be differences in behaviour and additional back-end security measures that may not be used with "approved" secure browsers. But I doubt they will disallow any modern browser entirely.

The real question is what exactly does this do for "security". Anything that PayPal does on their end will have no affect on phishing sites. All current web browsers, regardless of how PayPal treats them, will function with phishing sites just fine. Any user that falls for a phishing scam is just going to think, "cool PayPal works again". I see no point in blocking a web browser unless for some ungodly reason, the phishers blocked those browsers too.

Business reason is ruling this world

[unrealmp3]

Common sense would say Why should we not block Safari ? It's up to the Safari developers to make it more secure, not PayPal to make exceptions because it's for "Mac" users.

Re:Business reason is ruling this world

[Hal_Porter]

But Mac users are oppressed! I went on the chans and posted a picture of my new Macbook Air with the text "My Daddy just bought me a Macbook Air" and was banned for something called "faggotry". Whatever that is. Where ever I go on the Internet it's the same.

Re:Business reason is ruling this world

[danielsfca2]

Oh stuff it.

I don't need a phishing filter and I don't WANT a phishing filter. I'm a big boy who can read URLs just fine, thanks. I don't get to sensitive sites by untrusted links. I use my fingers to type the URL or I use a bookmark.

I also don't need Norton Internet Security, or anti-spyware apps, on my Mac OR on my PC--because I don't install trash downloaded from the Internet willy-nilly.

Aside from this worthless argument, no one has explained how Safari is any less secure than Firefox or MSIE.

Re:Business reason is ruling this world

[RiotingPacifist]

EVS
anti-phishing is important for the masses
doest show you a URL, before you click it (by default, again default is important for the masses).

Sure you dont need security, but that's like saying that corporate networks should use virus scanners because they're users should be smart enough to not get infected / scammed.

I could browse the web using lynx and not get scammed, it doesn't mean that anybody else can.

Re:Business reason is ruling this world

[kellyb9]

Common sense would also say - that ebay wants to make as much money from everyone they can.

Re:Business reason is ruling this world

[danielsfca2]

Safari does show me a URL before I click it. In the status bar. Just like every other browser. When I have a link in Mail, the tooltip tells me. And I don't give a crap about Apple not showing the status bar by default. And most users don't know what the status bar is anyway and don't even look for the URL on mouseover one way or another. I guess Apple decided anyone who didn't look at the SB anyway wouldn't miss it.

The only anti-phishing browser that's guaranteed to work would have to work like MSIE's or Firefox in their "active" mode, the one where they send every URL you visit to MS or Google to ask permission. That's simply not worth the privacy (and abuse potential) implications of this action. ("Sorry, the site "getfirefox.com" might be a phishing site. You're not allowed to go there." How many USERS would stop right there and decide maybe FF isn't so legit?)

In the "blacklist" mode these silly add-ons are not likely to be nearly as safe as just having a clue.

Re:Business reason is ruling this world

[RiotingPacifist]

In the "blacklist" mode these silly add-ons are not likely to be nearly as safe as just having a clue. But 100% better than not having a clue, anti-phising tools help those that dont even know about the status bar.

p.s safari could learn a thing from fission, I do quite like the safari look, plus its not hard to pop the address into the status bar on hover.

Re:Business reason is ruling this world

[danielsfca2]

Hmm... An interesting add-on I had not looked at before. However as far as using the address bar to show the destination of a link, that bothers me. Then your scammer will make the whole page a giant link to http://www.realbank.com/ so wherever your cursor is you'd see realbank.com in your address bar. Of course they'd add return false JS handlers to prevent a click from triggering said link.

I still think just using the status bar is the best idea, and it's not tough to find in Safari. View>Status bar. Not even a nested menu. I can't say I agree with Apple's decision to hide it by default, any more than I like how Windows XP's Windows Explorer (not IE) status bar is hidden, but I can't manage to get mad over a preference setting that's so easily changed by anyone with clue enough to look for the status bar.

Perhaps an auto-hiding status bar would be the truly best solution... sliding up from the bottom of the window whenever you mouseover a link, and disappearing to save space when it'd just be empty.

Re:Business reason is ruling this world

[Lally+Singh]

I bring to you the entire history of the web vs IE.

Too late, CTO should resign

[Ilgaz]

I invite you to check Macworld discussion at
http://forums.macworld.com/thread/98919?tstart=0

I have never seen a thing like that. Macintosh community hates them so much after that disastrous stupid statement that I STILL get new message alerts after 2 months as people keep commenting how stupid they are, Verisign bribed them, MS lapdog, eBay is scam.

This is a OS that loads ocsp on startup to check the SSL certs at core OS level:
Apr 22 09:07:29 quad /usr/sbin/ocspd[1735]: starting (system.log)

EV matters? How much it cost to a commercial site at size of Paypal? Does Paypal feel their consumers are insecure instead of using FREE data from community powered services like http://www.phishtank.com/ ?
Post a job listing for Cocoa/Carbon, Objective C developer. Cough some money and distribute your plugin. Don't use "No XUL" as excuse, it is easy to watch current URL on Safari. ICQ from 2003 can still read it.

Re:Too late, CTO should resign

[RiotingPacifist]

oh noes a bunch of fan boys rushed to irationally hate a company for putting out a whitepapper then implementing sane security messures, quick resign, infact the whole company should go bankrupt, hell they should go bankrupt then kill themselves for what theyve done.

OH, right its just 5% of 5%, im tempted to start using pay pal, only if they ban safari, just to keep mac fanboys crying.

EV matters? How much it cost to a commercial site at size of Paypal? Does Paypal feel their consumers are insecure instead of using FREE data from community powered services like http://www.phishtank.com/ [phishtank.com] ?
Post a job listing for Cocoa/Carbon, Objective C developer. Cough some money and distribute your plugin. Don't use "No XUL" as excuse, it is easy to watch current URL on Safari. ICQ from 2003 can still read it. to the 5% of the users that know how to install plugins, thats great, but the fact is that unless its done by default, phishing victims wont install it.

Re:Too late, CTO should resign

[Ilgaz]

Well here are facts. One of least popular (if popular at all) extensions for firefox is the EV certificate thing. They (Verisign) couldn't even make it work right. Phishing prevention is one thing, selling your soul to Google and send them every single URL (including the page part) you visit is another. There are Paypal phishing pages which are up for DAYS as you can see from http://www.phishtank.com/ which they (as they are mega corp) can call the countries police chief directly from his home phone and get site raided. If you get thousands of dollars stolen from your paypal recorded CC (never do it!) your support mail ends up in some typing/template monkey at Bangalore.

Also, another fact: Never, ever call a system default browser insecure if you are CTO of a high profile company like Paypal. Get the damned source from www.webkit.org , code and mail/call Apple "We think Safari would be better with EV certificate checking, here is the code you can review internally."

Re:Too late, CTO should resign

[RiotingPacifist]

Well here are facts. One of least popular (if popular at all) extensions for firefox is the EV certificate thing. They (Verisign) couldn't even make it work right. Thats my point, few people are going to install extensions, and even fewer will do it for security extensions, that's why this sort of thing has to come by default.

Phishing prevention is one thing, selling your soul to Google and send them every single URL (including the page part) you visit is another. True, but paypal havent said you have to sell your soul to google, hell i quite liked the FF2 method of downloading a list, do that regularly with diffs and you dont really need to send anybody your URLS

There are Paypal phishing pages which are up for DAYS as you can see from http://www.phishtank.com/ which they (as they are mega corp) can call the countries police chief directly from his home phone and get site raided. True, but some sites can be unknowningly infected, others can be in strange juristicion, its alot harder to catch them than it is to try and stop people getting caught in the first place. OFC paypal SHOULD go after them, but theyre a company and its just not worth it :(

Also, another fact: Never, ever call a system default browser insecure if you are CTO of a high profile company like Paypal. Why not Jobs, thinks its fine to show other operating systems with a BSOD, even non-windows systems. If jobs is calling other systems unstable, why should everybody suck up to mac. Also It was only due to a whitepaper that actually got read that it came up, they didn't go out of their way to slag off safari, its just insecure. I dont see anybody from KDE or gnome complaining

Get the damned source from www.webkit.org , code and mail/call Apple "We think Safari would be better with EV certificate checking, here is the code you can review internally." why would they want to look at webkit? this isn't to do with rendering pages this is all about the closed source safari part, the UI and lack of anti-phishing features can be provided by webkit AFAIK.

Re:Wish Apple Would Fix it

[boarder8925]

View menu - Show Status Bar.

Or hit Cmd+/ on your keyboard.

Re:Wish Apple Would Fix it

[the+JoshMeister]

I wish apple would fix Safari (and Mail too) to better display the actual targets of links.

Mail doesn't need to be fixed. Roll your cursor over any link and it will display a tooltip showing the URL to which the link would take you if clicked.

I would tend to agree that by default Safari isn't very helpful in this regard, but as previous posters already mentioned, the fix for Safari is simple: go to the View menu and select "Show Status Bar", or hold the Command key and press the / button. You only have to do this once, and Safari will keep this setting forever unless you turn it off.

Missed Phishing Opportunity

[edalytical]

Perhaps PayPal realized what a phisherman's dream this would be: "Can't access your PayPal with Safari? Signup for PhishPal to get instant unrestricted access. We only need your email address, ssn, bank account number, credit card numbers and drivers license."

Joking aside, just teach people to type addresses in the address bar, and to check the address bar and status bar when they are entering sensitive information. Problem solved.

Re:Missed Phishing Opportunity

[RiotingPacifist]

Joking aside, just teach people to type addresses in the address bar, and to check the address bar and status bar when they are entering sensitive information. Problem solved. They tried that, it turns out users are idiots.

Re:Missed Phishing Opportunity

[edalytical]

I don't mean teaching by forcing the users to view a page when the login. Of course that doesn't work. People are not idiots and they can quickly figure out how to skip nonsense to get to the real service.

No this kind of basic computer education is up to the schools, parents, local communities, computer retailers, ISPs, television show and governments. If PayPal really wants to do something to help they should sponsor a bill that will make basic computer education part of a schools accreditation. Better yet make it part of an early education critical thinking program, where school children are taught to be skeptics. Of course you'd still have to use some of the other channels of information to educate teens and adults.

You see, phishing isn't a technological problem and therefore doesn't warrant a technological solution. This is a social problem, plain and simple.

Re:Missed Phishing Opportunity

[RiotingPacifist]

Sounds good in theory, but given most people live to 80, it leaves you with a 70 year gap. Especially as its not kids that get phished but usually people who spent the first 40/50/60 years of thier life without a PC

Re:Missed Phishing Opportunity

[edalytical]

That would be covered by "basic computer education is up to...local communities, computer retailers, ISPs, television shows and governments...to educate teens and adults."

Re:Wish Apple Would Fix it

[RiotingPacifist]

Wait so as a firefox3 user with fission user I get a safari style address bar, with EVS & it shows me the links.
Why does anybody use safari? oh right it gives nice fonts:S

Re:PayPal does treat some browsers differently

[RiotingPacifist]

Execpt that new users to paypal, will only sign up if they have a secure browser.
And existing users that use pay pal before getting scammed will upgrade.

Your argument is like saying google shouldn't get a new capatcha because spammers have already signed up, but if they change now they can at least stop new idiots / spammers signing up.

Re:PayPal does treat some browsers differently

[Auckerman]

I'm typing this from Firefox in OS X 10.5 right now. Safari is my default browser. Why? Cause I don't care what the default is, I launch my stuff, so whatever. Anyhow, when I click links outside of Firefox, guess what OS X launches? That's right Safari. I go, oh yeah, maybe I should do something about that, close out Safari when it's done and go back to Firefox.

Seriously, I do that. My roommate has a XP machine with Firefox and IE. IE is her default browser. Same thing, too unconcerned to change the setting.

Anyways, people are NOT going to change their default browser for one Site. They aren't. They might download something so it doesn't break, but go back to whatever they wanted to use in the first place. People do that you know. Phishing sites will not be affected by Paypal blocking browsers, because those phishing sites will still function in those browsers. All it will do is annoy people.

Just curious...

[keysersoze_sec]

I'm wondering... how those Paypal folks could "block" your browser? Do they rely on your UserAgent? There must be some UASwitcher plugin for every browser out there, so you can easily bypass their filter... Any idea about how they filter you out?

Re:PayPal does treat some browsers differently

[RiotingPacifist]

They might download something so it doesn't break, but go back to whatever they wanted to use in the first place. People do that you know. But in that case paypal has made them make their browser secure.

You do make a good point, but the people that get hit most by phising are those that dont even know what a browser is, the kind of people that will phone you up with such useful complaints as "paypal is broken, what do i do?". These people will have a friend "fix paypal" like this, and wont even know what's happened.
The next most affected people are People who do understand thier browser but dont know about phising, this will not protect them, but hopefully this will cause apple to fix their defective browser where it matters instead of work on ACID3
The least affected people are the slashdot crowd that can argue about reading address bars and the have always checked the site for a padlock.

While not perfect this does help a lot of vulnerable users, at little cost to the rest

Re:Wish Apple Would Fix it

[JustCallMeRich]

I now that was a troll, but I may be able to offer some insight for thers reading this thread that may be helpful to future Mac admins out there and may save some hassle - which is really what being an admin is all about IMHO - saving my users hassle. If they have no worries, I don't get calls and can get back to updating my Mac build or quelling political infighting with some technical facts...

Safari pulls it's network and proxy info from the OS. FireFox does not - it has that set in a pref. The Mac laptops in our company network need proxy settings, DNS info, and a search domain entered to get at all the intranet goodness, as well as make it out to the cloud. In my image I create a WORK location and an AWAY location for the network. The work location has all the network settings for, well, you get the idea. This makes it simple for the user to go under the Apple menu to Location and select WORK or AWAY and still be able to connect to whatever they need to on site or off site. And even that takes a little training.

Unfortunately, FireFox doesn't support that. So the FireFox users would have to go into FireFox and navigate the prefs to find the proxy settings and manually enter the proxy settings in the network, and disable them when they are off site - in addition to choosing the work or away location under the Apple menu. For those that want to know how to do this, the info is on our Mac intranet site and the users are free to do it. But it's just a couple extra steps to remember to do and undo. And for most of my corporate users they could care less which browser they are using - as long as it gets them to the internets theys iz wantin.

So I have my Mac build with both Safari and Firefox set up and configured for work locations - even the status bar showing on Safari. But when they go offsite and just select the AWAY location, only Safari works. Those that know how to make FireFox work will do those extra steps. Those that don't, won't generally care, or will ask me or the help desk and get refrenced to the intranet site for details on how to get it working.

I hope that proves useful for any other Mac admins out there facing the same issue. If you have a better solution, please share it.

Re:Wish Apple Would Fix it

[RiotingPacifist]

I dont have a Mac but have under linux you have 5 options
No proxy (no good for you)
Auto Detect (not sure why this wont work for your network?)
Use system settings (this might be new but would defiantly work)
Manual (no good for you)
automatic proxy configuration url (would open them up to abuse on open networks)

Re:Wish Apple Would Fix it

[JustCallMeRich]

I had high hopes for the Autodetect option too - but alas, it did not work. I didn't see the 'use system settings' option in the Mac version as of a couple weeks ago, but yes, that would be the ideal solution. Thanks for the tip, I'l have a look for it - maybe an upgrade is in order or it hasnt come to the Mac version yet.

Re:Wish Apple Would Fix it

[RiotingPacifist]

Im using Firefox3 beta5, would be a shame if the mac version didn't have that setting, seams pretty essential to a web browser to follow system settings (especially for corporate environments)

IE is still in use?

[onekopaka]

We all agree that IE sucks, right?

Well by that logic, Microsoft sucks too, and people who think Microsoft is good, are Microtards.

So,

IE belongs in the TRASH MICROTARDS!!

Live update followup

[Ilgaz]

Just had "Update" window at 1Password.app , a shareware, 2 guys coded password manager which is practically all browser support (except Opera). It is not from $billion Paypal/Ebay empire.

"The most notable improvements is a new Change Password window to make updating online password easy, as well as enhanced Anti-Phishing integration with PhishTank."

See? That was what I mean to Paypal or anyone with billions of dollars in hand and thousands of IT personnel. 2 Guys from Canada who are in fact new to OS X (coming from J2EE land) can do it.

Especially Phishtank is so reachable that their people (who runs OpenDNS) replies to my personal mails.

Think about something else, isn't a full feature extension mechanism like Firefox which has full access to user home dir/browser data a security risk? Certify? Apple? Can you imagine the feedback against them? They get flamed for enabling services functionality, their (and NeXT) OWN invention on web pages by some lifeless nerds.