Blocking IE6: You, Me and…PayPal?

IE7On Thursday I stumbled across a campaign to Trash All IE Hacks. The idea is that people only stay on the ancient, buggy, feature-lacking, PITA web browser, Internet Explorer 6, because we web developers coddle them. We make the extra effort to work around those bugs, so they can actually use the sites without upgrading.

Well, yeah. That’s our job.

And a bunch of random websites blocking IE6 aren’t going to convince people to change. If I were to block IE6, or only allow Firefox, or only allow Opera, I’d have to have seriously compelling content to get people to switch. Mostly, people would get annoyed and move on. Who’s going to install a new browser just so they can read the history of the Flash? Or choose an ISP? Or buy a product that they can get from another site?

Slapping the User in the Face

It’s so easy for someone to walk away from your site. One of the tenets of good web design is to make the user jump through as few hoops as possible to accomplish whatever you want him/her to do. Every hoop you add is an obstacle. Too many obstacles, and they’ll just go somewhere else more convenient.

Back when I was following Spread Firefox, every once in a while someone would suggest blocking IE. Every time, people like me would shoot it down. And think about it: what does the average Firefox user (or Opera user, for that matter) do when confronted with a site that will only run in IE? Fire off a complaint, or move on, unless it’s something they can’t live without, like, say, their bank. Only then will they bring up the site’s preferred browser…just long enough to do their business and move on.

Plus it goes against the grain of the concept that a website should be viewable in any browser. It offends my sense of… I don’t know, egalitarianism.

Recommend vs. Demand

My current tactics: I target the latest versions of each browser (or rather, the overlap in their standards support), toss in enhancements where I think something would be nice, but not critical (off-site link icons using generated content, for instance, which works in everything except IE≤7, or rounded corners, which only work in Gecko and WebKit so far). And I take that, and make it look reasonably good in IE6. I don’t try to make it perfect anymore (case in point, the header of this blog), but I try to make sure it’s functional and doesn’t look broken.

Then I include a polite notice recommending that people upgrade to something a little more capable or modern for a better experience, but I don’t require them to do so. I don’t pop up anything that moves, or blocks content, or forces them to click through an extra page.

Enter: PayPal

Now, remember what I said about banks? PayPal intends to block “unsafe” browsers from accessing their site (via Slashdot). They aren’t technically a bank, but PayPal is actually in a position where they might be able to do it: they’re the most well known online payment service where two random people can send each other money. Probably more people will switch browsers and keep PayPal than switch payment services and keep their browser.

They’ve since indicated that they don’t intend to block “current versions of any browsers,” but will focus on “obsolete browsers on outdated or unsupported operating systems.” So you IE4 users on Windows 98? Upgrade already! (And since you can’t install IE7, try Opera. It still runs on Win98!)

They’ve also cited such safety features as phishing protection (present in IE7, Firefox 2, and Opera 9) and support for Extended Validation SSL Certificates (present in IE7 and the upcoming Firefox 3 and Opera 9.5).

Hazards of Browser Sniffing

Of course, once you start actively blocking browsers, you have three choices:

  • Keep track of every single browser out there, and every version.
  • Let most browsers in, but only block a few problem browsers (similar to Yahoo’s Graded Browser Support)
  • Unfairly block browsers that might be perfectly adequate just because you can’t be bothered to investigate them.

The last seems the most prevalent. Just ask any Opera user today, or any Firefox user of 3 years ago. (I remember using Firefox and being told to “upgrade” to Netscape 6, even though NS6 was based on an older version of the same engine. Remember: Gecko is Gecko.)

Whitelist approaches to browser detection are, by their nature, either going to require constant updating or block too much. In this case, issues would include:

  • Less well-known browsers, like Flock, which uses the same anti-phishing features as Firefox
  • Browsers that don’t do phishing detection themselves, using third-party plugins to do the job.
  • Changes in status, when browsers add the capabilities required to get on the list.

Thankfully, it looks like PayPal is going with the most minimally-intrusive approach: blocking only the most troublesome browsers, and letting the rest connect normally.

Will it Work?

There’s still the question of whether it’ll actually make users less likely to land on a PayPal phishing site.

For one thing, it’s not clear whether they’ll block IE6. The initial report would definitely have excluded it, since it lacks both EV support and anti-phishing (without an add-on). But the follow-up statement was focused on Safari. Does PayPal consider IE6 to be a “current” version since Microsoft still supports it? Or do they consider IE7 to be current, and IE6 to be obsolete?

Certainly, if they don’t block IE6, this will really only impact the tiny fraction of users running horribly outdated software. (Well, more horribly outdated.)

The thing to remember is that the features PayPal is promoting will only help if users switch for general browsing. In fact, anti-phishing will make no difference at all on PayPal’s actual site, unless it gets hacked (at which point the user is screwed anyway.)

So let’s suppose that they do block IE6. As much as I’d like people to switch to Firefox or Opera full-time, I’m sure there will be some people who only fire up an alternative to use PayPal, and who stick with IE6 the rest of the time. They’re just as likely as before to click on a bogus “Pay with PayPal” button, or a link in a phishing email. If they weren’t going to do that in the first place, the browser requirement wasn’t needed. If they were, the browser requirement doesn’t help. The bogus sites won’t require phishing detection, or EV certs. Imagine the user saying, “Hey, PayPal fixed the problem where it wouldn’t let me use IE!”

And of course it won’t stop someone with a stolen login and password from connecting using an “approved” browser.

The ISC has also weighed in re: limitations of EV certificates. Among other things: it may be easier to get an EV cert than suggested, in which case it won’t indicate any greater degree of trust than a standard SSL certificate. And it doesn’t prevent other issues, like keyword loggers or trojans that simply hijack a user’s session.

I apologize for the rambling nature of this post (yeah, site title and all that). But I worked on it on a succession of late nights, and decided it was time to just post the thing. Also, I have a somewhat more concise post up on OperaWatch. [Edit: Well, it was on Operawatch…]

[in]View Kelson Vibber's profile on LinkedIn

6 thoughts on “Blocking IE6: You, Me and…PayPal?

  1. Jaunty Mellifluous

    Yep, it has come to that point of time where IE6’s usage is causing panic amongst general Web Designers.

    Reply
  2. Pingback: Watching Opera | K-Squared Ramblings

  3. Pingback: EV SSL Buzzword Used for Phishing | K-Squared Ramblings

  4. Peter Morffew

    I have gone lock stock and barrel and down loaded all of the latest main browsers for my webdsite page review.
    With all of the fan fair I have found that none are any faster than the other. The only advantage is the appearance of Firefox and Opera. IE8 still manages to come second in website presentation because Microsoft will not fully adopt the CSS rules, i.e drop shadows.
    Now that HTML 5 is on the horizon we have a problem where MS will not impliment the full code because it has not been finalised.
    If MS does not adopt HTML5 in its browsers why do we need it for the internet? If IE9+ cannot display a website properly why are website developers bothering.
    MS is realy only fit for corporate intranets where IE is the prefered browser that fits in with ASP.net servers. In the real world MS has lost the plot.

    Reply
  5. blah

    I’m sorry, but this post is unreadable. If you’d make only the first paragraph in the pirate slang, it would’ve been ok. As it is, this is simply unreadable.

    Reply
    1. Kelson Post author

      Sorry, the post isn’t usually shown like that. I forgot that I’d left a “pirate-ify” plugin active, which converts everything to pirate slang for one day each year.

      Disabling now…

      Reply

Leave a Reply

Your email address will not be published.