In a white paper released last week by PayPal, it announced that it will start showing warnings to customer who access its site using browsers that don’t support some way of web site identification and phishing protection.

“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts”, reads the white paper authored by Michael Barret and Dan Levy, PayPal’s Chief Information Security Officer and Senior Director of Risk Management for Europe, respectively.

The white paper also suggests financial institutions to encourage its users to use the most recent version of their web browsers by warning users of the immediately previous versions and blocking those users with even older releases, since these are most likely to have unpatched vulnerabilities addressed in more recent versions.

With all the main browsers Internet Explorer, Firefox, Safari and Opera available for free download it is very hard to argue with this proposal. One disadvantage could be OS incompatibility. For example Windows 95/98 users and old Mac OS X versions users will not be able to upgrade to Firefox 3 as Windows 2000 is the minimum requirement. These same users wouldn’t be able to access financial web sites if PayPal’s advice was followed.

Regarding site identification, the current most positive way for a site to identify itself is by using an EV (extended validation) SSL certificate issued by a certificate authority like Go Daddy, Thawte, VeriSign and a few others.

Unlike “simple” SSL certificates many sites use to encrypt information between its servers and visitors computers, these certificates require from companies to provide information about its legal identity, physical address, the identity of the individuals handling the certificate process, etc.

So for example, when you access a site like Paypal.com you not only know it is paypal.com (as an SSL certificate ensures) but that it is indeed PayPal Inc. the company you are contacting.

What’s the benefit? If the bad guys want to trick you into providing your Paypal information they could register paypa1.com (notice the l is actually a 1) and even get a SSL certificate. So users who fall for their phishing emails, may not notice the slightly different spelling in the location bar (now yellow) and will feel confident to provide their information to the phishing site.

Browsers that support EV certificates, like Internet Explorer 7, Firefox 2 (with VeriSign’s EV Green Bar Extension) and Firefox 3 are able to display some special user interface with the name of the company owning the site. In time, users should get used to seeing the extra UI and be able to distinguish fake sites at a glance.

In Firefox 3, the new site button turns green for EV certificate identified sites. Clicking on the button displays the name of the company that runs the site.

Via BBC News.