Cenzic 232 Patent
Paid Advertising
web application security lab

Older Browsers Blocked By PayPal

This news is coming in a little late but I thought it was worth talking about. PayPal apparently is going to start blocking older browsers that it deems as a security risk to it’s own users. Pretty funny in a way - consumers can’t protect themselves so PayPal is having to tell them to upgrade to something that doesn’t come from the Paleozoic era.

There’s an upside to doing this and a few downsides. The obvious upside is that people will be using more current and theoretically more secure browsers that support EV certs and anti-phishing technology. The downsides are that some people seriously cannot afford to buy new equipment, or have chosen older browsers that are less likely to be exploited because no one is writing exploits for them any more. And the worst downside to the browser eco-sphere is an even more homogeneous browser base. I’m not sure if I’m completely in the “this is a good thing for security camp” but it’ll be interesting to see how it plays out over time.

8 Responses to “Older Browsers Blocked By PayPal”

  1. Brutos Says:

    At least its a good thing for web standards.

  2. Felstatsu Says:

    I imagine that at least with popular IE targeting JS exploits that using an old version isn’t going to protect you. I haven’t run tests myself yet (maybe someone with more time than me would like to do this? and post results?), but I know MS hasn’t done much to update their JS engine in a long time other than security fixes. I’d also guess that popular exploits against other browsers are similar, in that they’re popular because they work on multiple versions getting the most possible users they can. We will wind up with a more heterogeneous browser base, but I think that in the short term we’ll be a little more secure, since older exploits that have been fixed in new browsers will no longer have any browsers to hit. In the long run it remains an arms race to see who can update their side faster.

    The other thing to consider about if this is a good thing for security is, do people who use rather out of date browsers keep anything else up-to-date? How many of these people using out of date/unpatched/un-updated software/OSs would start keeping things up to date and patched if they had to keep their browser up to date? I’d guess the first group is large, but the ones that would actually learn from keeping their browser updated is probably pretty small, still if both are large enough it would be good overall.

  3. kaes Says:

    surely you mean homogeneous?

    people will be using a smaller subset of available browsers making the playing field more homogeneous = less diverse.

  4. Kyran Says:

    ! RSnake –
    If someone was using paypal frequently enough for this to be an issue, why wouldn’t they have at least something from 1995!?

    Oh and time for the usual Opera plug. I can get Opera to run perfectly on flash-easy-high-ajax sites on my laptop from 1995…

    But yes, this is a great idea in the long run but as you said with the hardware issue, maybe only a good idea for payment processors…

  5. RSnake Says:

    @kaes - yes, whoops, I changed it.

    @Kyran - does Opera make French toast too?

  6. Kyran Says:

    Nah. It DOES measure your heart rate and make smoothies though.

  7. MERLiiN Says:

    Paypal, you’re doing it wrong!

    EV Certs are for authenticating the website to the user, not the browser to the website.

    Using newer browsers does NOTHING to protect against users willing to provide their passwords to strange urls or OS based keyloggers. Claiming a more up to date OS and browsers does not protect against the end users actions, I think we can all agree that the storm botnet proved just how effective badly written spam emails with a link can be at luring users to installing trojans.

  8. Morgan Roderick Says:

    Even more funny is the fact that users are supposed to feel confident that a site is secure, because it employs EV Certs and they are supported by the users browser.

    http://news.netcraft.com/archives/2008/05/16/paypal_xss_vulnerability_undermines_ev_ssl_security.html

    Get the basics right, and then worry about the more sophisticated stuff.