PayPal will alte Browser aussperren
Das zu Ebay gehörende Online-Bezahlsystem PayPal hat angekündigt veraltete Browser auszusperren. Und zwar nicht weil genervte Developer keine Lust mehr auf CSS Hacks und Workarounds für Uraltbrowser haben sondern aus einem viel trivialeren Grund — Sicherheit.
PayPal hat sehr unter Phishing Angriffen zu leiden. Aus diesem Grund ist es sehr wichtig das der User einen Browser benutzt der die aktuellen Sicherheitstandards unterstützt. Um dies zu gewährleisten sollen in Zukunft bestimmte Browser komplett ausgesperrt oder in ihren Nutzbarkeit beschränkt werden:
There is of course, a corollary to safer browsers - what might be called “unsafe browsers.” That is, those browsers which do not have support for blocking phishing sites or for Extended Validation certificates (a technology we will discuss later in this section). In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts.
The alarming fact is that there is a significant set of users who use very old and vulnerable browsers, such as Microsoft’s Internet Explorer 4 or even IE 3. Inevitably, this set of users is a subset of the passive group. We argue that it’s critical to not only warn users about unsafe browsers, but also to disallow older and insecure browsers. Further, we suggest that any Web site that asks for personal or financial information should consider logic along the following lines:
- Version N (current) - allow with no messaging
- Version N-1 (previous major version) - allow, but with a warning message
- Version N-2, or older - disallow, with a message indicating why
At PayPal, we are in the process of re-implementing controls which will first warn our customers when logging in to PayPal from those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe - usually the oldest - browsers.
Später wird noch auf die EV SSL Zertifikate eingegangen.
Blocking offending sites works very well for passive users. However, we knew we needed to provide visual cues for our active users in the Web browser, much like we did with email signatures in the mail client.
Fortunately, the safer browsers helped tremendously. Taking advantage of a new type of site certificate called ‘Extended Validation (EV) SSL Certificates,’ newer browsers such as IE 7 highlight the address bar in green when customers are on a Web site that has been determined legitimate. They also display the company name and the certificate authority name. So, by displaying the green glow and company name, these newer browsers make it much easier for users to determine whether or not they’re on the site that they thought they were visiting.
PayPal was one of the first companies to adopt EV Certificates. More or less all of the pages on our site are SSL encrypted, and they all use EV Certificates. And after nine months of usage, PayPal’s data suggests that there is a statistically significant change in user behavior. For example, we’re seeing noticeably lower abandonment rates on signup flows for IE 7 users versus other browsers. We believe that this correlates closely to the user interface changes triggered by our use of EV certificates.
Die Diskussion alte Browser von vornerein auszuschließen lodert ja, besonders auf den IE6 bezogen, immer wieder auf. Durch PayPal wird nun noch einmal Öl ins Feuer geschüttet. Wenn es hilft das die Verbreitung der aktuellen Browser erhöht wird ist dies sicherlich nicht negativ zu sehen.
1 Kommentare
T.Sturm
schrieb am 15.10.08 um 1:29 Uhr:
Kann man Microsoft nicht generell aus dem Netz ausschließen, solange der IE ein Bug-Faß ohne Boden ist ?! :)
