Posted on
by

Last month, eWeek reported that PayPal intends to block unsafe browsersfrom accessing their site. They’ve focused on phishing detection and support for Extended Validation SSL Certificates. So what are these features, and why does PayPal think they’re critical? And just which browsers are they likely to block?

Phishing protection has an obvious appeal for a site whose accounts are one of the biggest phishing targets on the web.  Opera 9.1 and up, Firefox 2, and Internet Explorer 7 check the websites they visit against lists of known fraudulent sites. These browsers will warn the users before they accidentally type their credentials into a bogus log-in form. While this makes no difference when a user is already on PayPal’s site, it does mean the user is less likely to get his or her password stolen, and thieves are less likely to carry out fraudulent transactions with the account.

Extended Validation or EV certificates are like normal SSL certificates: they encrypt your web activity to prevent eavesdropping. What makes them different is that EV certificates require the issuer to verify the site owner more thoroughly. Browsers with EV support will display an indication that the site has been verified, usually by turning part or all of the address bar green. This is intended to give the user greater confidence that the site is legit. EV certificates are currently supported by IE7 and development versions of Opera 9.50 and Firefox 3. (You can preview a version of Opera with EV support by downloading Opera 9.50 beta 2.)

(It’s worth noting that Opera 9.50 beta 2 is stricter about verifying EV certificates, and will not show PayPal with a green bar because it loads images and scripts from another site. More recent preview releases will, like IE7 and Firefox 3, be satisfied if the main page is EV and the resources are all protected by regular SSL.)

So which browsers might get turned away at the gate?

In a follow-up story, PayPal clarified that they have absolutely no intention of blocking current versions of any browsers, and that they would only block obsolete browsers on outdated or unsupported operating systems. So an Opera 9 user on Windows XP isn’t likely to get shut out of PayPal anytime soon. But a Windows 98 user might have cause for concern.

Browser detection is extremely tricky to get right, requiring frequent adjustments. It looks like PayPal intends to take the minimalist approach: Assume most browsers are capable of handling what you send them, and only block the problematic ones.

(Originally posted at Opera Watch as a follow-up to Blocking IE6)

Posted on
by

This past week has mostly been taken up by unpacking, at least to the point that we can use things. We got most of the bedroom set up the first night — we needed somewhere to sleep — but the rest has been slow going. We finally got the TV and DVD player hooked up today, and tested it by re-watching Raiders of the Lost Ark.*

One thing I’ve noticed is all the extra expenses that pile up after the move.

You have to replace things lost during the move. I misplaced the screws that held together the bed frame when I dismantled it, so after we moved the last boxes in and got cleaned up, I drove out to Lowe’s looking for replacement hardware. Similarly, we forgot to remove the under-the-cupboard paper towel holder, and had to get a new one.

There are also things you can’t take with you. Stick-on wall hooks in the closet, for instance.

Or things that are included in one place, but not in another. Our old apartment had a built-in lock on its garage storage. At this place, we had to get a padlock. (Well, actually, we didn’t. A day after buying it, I found one in my toolbox that I’d forgotten.) We also had to get a shower curtain rod. Fortunately we have plenty of lamps, but that’s one I’ve run into when moving before.

All this on top of the stuff you expect to pay: rent, deposits, boxes, movers or a rental truck, pizza for friends who are helping, etc.

*Regarding Indy, I had originally planned to re-watch the entire Indiana Jones trilogy before going out this weekend to see Kingdom of the Crystal Skull. But it took a while to empty enough boxes to get the TV set up. We did manage to watch Last Crusade on one of the computers, which was a bit awkward. We went out with friends on Saturday to catch the new film. It was a lot of fun, but not phenomenal. Better than Temple of Doom (which is still better than a lot of films) but not as good as Raiders or Last Crusade.

Posted on
by

Sorry for the lack of updates this past week. I was just way too busy prepping for our move this weekend.

A couple of interesting news bits I noticed when I got into work this morning:

It looks like I’ve been lucky with installing Windows XP Service Pack 3. I’ve had no problems with the one machine I installed it on. According to Information Week, a lot of people are having serious problems with SP3, including BSOD on AMD-based systems.

Also, NetCraft has a screenshot of a PayPal page with both the green bar of an Extended Validation (EV) SSL certificate and a cross-site scripting (XSS) vulnerability. It’s a step or two beyond the standard lock icon, but there are still limits to what an EV cert can tell you. Unfortunately PayPal and others are really trying to drum “green bar = safe” into people’s heads.

Posted on
by

Wow… you know gas is expensive when the spammers start hawking gas cards.

Our support contact address received a message touting “Finest List of Nurses Including Email Addresses – Free $50 Gas Card” I had to wonder what the heck it was, so I took a look at the message. They were trying to sell “sales leads” — i.e. names and contact information — of nurses, and were offering to throw in the gas card if you spent enough on “leads” to do your own spamming.

Posted on
by

Andrew Gregory points out that some browser detection scripts might have trouble when Opera 10 eventually rolls around. (Edit: Hallvord also comments.) Why? Because one of the easiest, ways of testing for a version number is to do look for the the “Browser n” or “Browser/n” patterns. The problem is that this strategy only grabs the first digit of the version number. That works fine for 1–9, but once you hit 10, suddenly it looks like 1 again.

Firefox and Safari, currently at just before and just after 3, are likely safe for now, but IE is creeping up on 8, and with their new, faster release schedule, IE10 may only be a couple of years away.

I’ll admit, I’ve written code like that myself (not the specific example, but I’ve done regexp matches that only look at the first digit), but always on sites that I expect to be able to maintain. Of course, one of the lessons to learn from Y2K is that shortcuts get entrenched, and code you thought you’d have time to clean up long before it became a problem has a tendency to stay in use far longer than you expected. And we’ve seen the same thing with web script archives, where someone’s example code that mostly worked in IE4 gets enshrined as “the” way to accomplish something, even though there have been better ways that work more consistently for years.

Posted on
by

So, you’re a nerd (or a geek, if you prefer). You spend your life sitting in front of your computer, your TV, or your latest book. You don’t play sports, you don’t go running, hiking or cycling, and the word gym conjures up painful memories from middle school.

And you’ve put on a bit more padding than you’d like.

The problem is, you can’t stand exercise, you don’t want to spend the next 2 months eating cardboard food, and you don’t want to record your every caloric intake with a spreadsheet (though if that idea appeals to you, go for it). What’s a geek to do?

Well, here are some tweaks you can make to your lifestyle that, with a minimum of effort, will help. They won’t take the weight off quickly, but they’ll lower it over time. And you might be able to keep it off better than someone who goes on a crash diet, because you’re changing your habits, not just making a short-term change. Continue reading