Last month, eWeek reported that PayPal intends to block unsafe browsersfrom accessing their site. They’ve focused on phishing detection and support for Extended Validation SSL Certificates. So what are these features, and why does PayPal think they’re critical? And just which browsers are they likely to block?

Phishing protection has an obvious appeal for a site whose accounts are one of the biggest phishing targets on the web.  Opera 9.1 and up, Firefox 2, and Internet Explorer 7 check the websites they visit against lists of known fraudulent sites. These browsers will warn the users before they accidentally type their credentials into a bogus log-in form. While this makes no difference when a user is already on PayPal’s site, it does mean the user is less likely to get his or her password stolen, and thieves are less likely to carry out fraudulent transactions with the account.

Extended Validation or EV certificates are like normal SSL certificates: they encrypt your web activity to prevent eavesdropping. What makes them different is that EV certificates require the issuer to verify the site owner more thoroughly. Browsers with EV support will display an indication that the site has been verified, usually by turning part or all of the address bar green. This is intended to give the user greater confidence that the site is legit. EV certificates are currently supported by IE7 and development versions of Opera 9.50 and Firefox 3. (You can preview a version of Opera with EV support by downloading Opera 9.50 beta 2.)

(It’s worth noting that Opera 9.50 beta 2 is stricter about verifying EV certificates, and will not show PayPal with a green bar because it loads images and scripts from another site. More recent preview releases will, like IE7 and Firefox 3, be satisfied if the main page is EV and the resources are all protected by regular SSL.)

So which browsers might get turned away at the gate?

In a follow-up story, PayPal clarified that they have absolutely no intention of blocking current versions of any browsers, and that they would only block obsolete browsers on outdated or unsupported operating systems. So an Opera 9 user on Windows XP isn’t likely to get shut out of PayPal anytime soon. But a Windows 98 user might have cause for concern.

Browser detection is extremely tricky to get right, requiring frequent adjustments. It looks like PayPal intends to take the minimalist approach: Assume most browsers are capable of handling what you send them, and only block the problematic ones.

(Originally posted at Opera Watch as a follow-up to Blocking IE6)

Leave a Reply

Your email address will not be published. Required fields are marked *