Monday, April 21, 2008

We need more than a seat belt.

PayPal made news at RSA with the publication of a paper that spells out a plan to eventually block older and otherwise "unsafe browsers" from accessing its services. Unfortunately, "unsafe browser" could be an apt description of every standard browser currently in use.

PayPal's plan calls for shutting off access from older versions of Internet Explorer, Firefox (and possibly Apple's Safari, should Apple fail to add the requested features) which don't support the new Extended Validation SSL certificate system. EV SSL certified sites display a green address bar and company name in an attempt to prevent phishing attacks by visually confirming to the user the validity of the site.

It's certainly a better system and a worthwhile addition to the layered security model, but it doesn't solve several underlying issues:

  1. The world's been using SSL certification (those little locks at the bottom of your browser), and other tools for years in an effort to keep users from entering their personal data at falsified sites - and it hasn't stopped the problem from expanding. These visual cues can be spoofed by hackers, and most users simply don't know what they mean, nor pay attention to their existence.

  2. Even if a user could be certain that they're on the actual PayPal site, there's nothing to prevent spyware and other agents from capturing every detail, password, keystroke and screen from that session. The hacker then logs on with the stolen credentials, gets the same reassuring green address bar, and cleans out your account.

The latest browsers, including Internet Explorer 7, and Firefox beta 3, provide no protection against desktop spyware and other tools for 'listening in'. As long as desktop agents are allowed to run unchecked, identity theft - and the resulting fraud - will continue to grow unabated. As long is the industry relies on users to recognize a combination of cues, accept a barrage of alert pop-ups, and navigate the dirty minefield of traditional browsing, the problem will continue to grow. We need a new paradigm, one that separates 'standard' browsing from activities that require real security.

I applaud PayPal's effort to raise the security level on their site by locking out "unsafe browsers", but if it's security they seek, perhaps they should consider locking out all standard browsers and requiring SafeCentral, which supports EV SSL while providing DNS security and desktop malware defense.

PayPal said that allowing unsafe browsers to access its site
"is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts."
True. However, seat belts have been standard in cars since the early 60's; perhaps requiring air-bags, and even accident avoidance systems would be a more appropriate goal in 2008. Our goal in developing SafeCentral is to be ahead of the hackers, responding in advance to tomorrow's threats.

No comments: