So, PayPal has thrown down the gauntlet on the safe browser war.  According to an InfoWorld article, they have declined to add Apple’s Safari browser to their list of safe browsers due to the lack of native anti-phishing technology.

I find it interesting that one of the features they explicitly mention in the InfoWorld article as being a reason behind this is the use (or lack thereof) of the Extended Validation Certificate (EV).

Firefox 2 does not currently support this, however the possibility of having the browser warn you to a possible phishing attack is apparently enough for PayPal. According to the Mozilla developer’s, FireFox 3 will support the EV technology.

Personally I think that the automated protection schemes are great, when they work.  One of the first things I did when installing IE7 on my virtual machine was to disable the anti-phishing filter.  It is nice to have the automated systems, but there is nothing like a little user education to make the world a safer place.  According to a NetworkWorld article:

In one study, three groups of 14 participants each received e-mail messages that included spam and phishing attacks as well as legitimate mail. Two of the groups were presented with educational material about how to prevent being phished; but only one group received the material after having fallen for the phishing e-mails and entered personal information into a fraudulent Web site.

The group that was given educational materials but hadn’t been phished were no better at spotting phishing attacks that the third group, which received no educational materials at all, researchers say.

Besides, who is to be the arbiter of whether or not the site really deserves being declared a phishing site?  Sure sometimes it is patently obvious, like when the site is dressed up to look like Citibank, but the URL is really something like “www.citibank.secure.orangecrush.cz”.  However, there is no such thing as a perfect system, and we don’t need to train the users to rely completely on the built-in safeguards.