In an interview with Macworld, PayPal issues a dire warning to users of Apple’s Safari browser: don’t use it if you want to avoid online fraud. Apparently, Safari is not on PayPal’s list of recommended browsers due to its lack of support for some of the anti-phishing features the other browsers have. Instead, PayPal is recommending the use of IE, Firefox, or Opera, because they are safer for the average user.
According to Michael Barrett, PayPal’s Chief Information Security Officer, “Apple, unfortunately, is lagging behind what they need to do, to protect their customers. Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera.”
So what is it that Safari is missing? For one, unlike the other browsers, Safari has no built-in phishing filter which warns web surfers when they visit suspicious web sites.
The other issue is that Safari doesn’t support EV (Extended Validation) certificates. This secure web browsing technology turns the address bar green when visiting a legitimate web site.
Currently only IE supports EV certificates, but upcoming versions of Opera and Firefox will be supporting them as well.
“Safari has got nothing in terms of security support, only SSL (Secure Sockets Layer encryption), that’s it,” Barrett said.
But are these technologies really having an effect? Barrett thinks so. For example, with EV’s, he is basing this decision on data compiled on PayPal’s web site that show that IE 7 users are more likely to sign on to PayPal. He makes the leap to presume that this is because they are more confident that the site is legit.
But to the contrary, a study (PDF) on the effectiveness of EV shows that EV certificates aren’t that useful unless someone is specifically trained to notice the green address bar and what it means.
So, is Barrett being overly cautious? Or is Safari really insecure?