Vodafone will reduce its own CO2 emissions by 50 percent by 2020, and will help users lessen their burden on the environment.

"This is the right decision for a responsible business to take. It is good for the environment but also makes sense for the business," said CEO Arun Sarin in a statement Monday.

The starting point for measurements will be the company's emissions during 2006/2007, which totaled 1.23 million tons. Currently, Vodafone's network accounts for 80 percent of its emissions, so improving energy efficiency here is a top priority.

It also plans to introduce solar-powered phone chargers for Vodafone-branded handsets to help users limit their own emissions.

Vodafone has also reviewed other ways to lower CO2 emissions, including carbon-offsetting, but came to the conclusion that direct cuts are is the best alternative.

The announcement doesn't come as a surprise to Mikael Salo, editor-in-chief at the Swedish paper Miljöaktuellt, which focuses on environmental issues.

"It is quickly becoming a must for all companies, including mobile carriers, to analyze how it affects the environment and what it can do to improve energy efficiency," he said.

At the same time the mobile operator encourages others to take similar action, and it isn't alone -- last week Taiwan Mobile announced it had adopted 10,000 trees.

PayPal has denied claims it plans to lock Safari users out of its online payments service as it reinforces its protections against online credit fraud.

It has been previously reported that the company intends strengthening its defenses against phishing attacks. Early reports indicating Safari may be affected by the company move to block users of older or less secure browsers were incorrect.

PayPal corporate communications spokesman, Michael Oldenburg, told 9 to 5 Mac: "PayPal is developing features to block customers from logging into PayPal when using obsolete browsers on outdated or unsupported operating systems. An example of such a browser/OS combination might be, for example, Internet Explorer 4 running on Windows 98. In doing so, we better protect our customers from viewing a phishing site through their browser. We have absolutely no intention of blocking current versions of any browsers, including Apple's Safari, from our Web site."

PayPal last week warned of plans to lock PayPal users from accessing the electronic payment service if they are using older versions of web browsers as it continues its war against phishing attacks.

Phishing sites are designed to look like the legitimate websites of major brands such as banks and seek to elicit financial and personal information. Users are lured to the sites through unsolicited emails, or can unwittingly land on one if a phisher has bought a domain with a convincing-looking name or one with slightly different spelling.

A vulnerability in servers used by EarthLink to handle mistyped Web page requests may have allowed attackers to launch undetectable phishing attacks against any Internet site, according to a noted Internet security researcher.

The bug, which was patched earlier this week, underscores a fundamental security risk in the way that some ISPs are attempting to generate advertising revenue from mistyped Web addresses, said Dan Kaminsky, director of penetration testing with IOActive, a security consulting firm.

The vulnerability was in a service called Barefruit, which EarthLink has been using since August 2006 to return Web pages with search terms and advertising to customers who mistype a domain name in their browser.

[ Find out how phishers can use  DNS server redirection to catch unsuspecting users. ]

Barefruit, which is based in London, operates a service that works with Domain Name Servers (DNSes), which are used by the browser to translate domain names, such as yahoo.com, into numerical Internet Protocol addresses. Typically, when a browser asks a DNS server for a nonexistent Internet address -- adsewrds.yahoo.com for example -- the DNS server returns an error message indicating that no such address exists. With Barefruit's servers, the user is told that the address does exist, and is then sent to a Web page that displays advertising and suggested search terms.

Because of a bug in the software used to redirect users to these advertising and search pages, Kaminsky was able to get the pages to run his own JavaScript code. With the browser treating this code as if it were from a legitimate domain, Kaminsky was able to steal users' cookies, create fake Web sites that appeared to be hosted on legitimate domains, and even log into certain Web sites without authorization.

Generating revenue from domain name typos has generated controversy before. In 2003, domain name registrar Verisign was forced to disable a similar system called SiteFinder, which redirected Web surfers who had typed nonexistent domains.

EarthLink is not the only ISP to be testing this system. Kaminsky said he found evidence of Barefruit or similar systems being tested on Verizon, Time Warner, Qwest and Comcast, which outsources some of its network to EarthLink.

"The security of the entire Web for these ISPs is right now limited by the security of some random ad server run by a British company," he said. "Somebody running an ad server controls the security of whitehouse.gov. This is not a good situation."

A Verizon spokesman said that his company was not using the Barefruit service.

In a statement, EarthLink confirmed that it had patched Kaminsky's bug, but did not address the broader security concerns that Kaminsky believes are raised by this model.

However, the company did defend its use of the service in 2006, when it was first introduced.

"By presenting users with contextual help based upon the nonexistent domain the user entered, we believe we are improving the EarthLink user experience with a system that will not interfere with other network processes," EarthLink said in a blog posting at the time. "And DNS error handling presents an opportunity for EarthLink to generate additional revenue as well."

Originally, Kaminsky hadn't intended to go public with his findings, but after press reports last week that Network Solutions was engaging in a similar practice -- redirecting nonexistent subdomains of some of its Web hosting customers to Network Solutions pages containing advertisements -- he felt compelled to draw attention to the issue.

News of this Network Solutions policy was sure to encourage attackers to look for cross-site scripting flaws on the company's servers, similar to the bug he had found in Barefruit, Kaminsky said. "If anything happens to those servers, a lot of people are in trouble," he said.

Kaminsky will present a demonstration of his findings on Saturday at the Toorcon Seattle security conference.

In the latest death knell for Outlook Express, Microsoft announced Thursday that it will turn off access to its Web-based Hotmail service from the desktop e-mail software at the end of June.

Outlook Express users who want to continue to access their Hotmail accounts offline after June 30 are being encouraged by Microsoft to download its free Windows Live Mail software.

Users will still be able to use Outlook, the big brother of Outlook Express, to read their Hotmail messages offline, but first they may have to upgrade their Outlook Connector synchronization software, according to information posted online today by Scott Hammer, a Microsoft e-mail support manager.

Hammer said that Hotmail users also will still be able to use any other desktop e-mail client that is POP3-compliant, such as the open-source Thunderbird software. Macintosh users, meanwhile, can continue using Microsoft's Entourage e-mail client for the Mac to access Hotmail, which is the second-most-popular Web mail service in the U.S. behind Yahoo Mail, according to market research firm HitWise Pty.

Outlook Express first appeared in 1997, when it was bundled with Internet Explorer 4.0 . At one point the most popular e-mail software for Windows users, the technology saw its usage start to decline after suffering major virus and malware problems early this decade. Microsoft's last update of the software, Outlook Express 6, was released in August 2004.

In a blog post at Microsoft's e-mail technical support Web site, Hammer said that Microsoft is disabling the DAV e-mail protocol used by Outlook Express to download messages because it is too slow for the larger e-mail in-boxes now in use. For instance, the Windows Live service offers Hotmail users 5GB in-boxes free of charge.

Instead of DAV, Windows Live Mail uses a new technology called DeltaSync to replicate e-mail, contacts, and other data between Hotmail and a user's PC. Microsoft says DeltaSync is faster because it only downloads new or modified messages and headers from the Hotmail server, whereas DAV downloaded everything. But, Hammer wrote, "the new protocol unfortunately is not supported by Outlook Express, and support would require too many changes to the Outlook Express software."

Released last November, Windows Live Mail is a successor to both Outlook Express and the Windows Mail client that shipped with Windows Vista. New features above and beyond the improvements that were in Windows Mail include support for RSS feeds, improved photo-sharing and increased integration with other cloud-based Windows Live online services.

This reporter's main trepidation about moving to Windows Live Mail was how well it would import my existing Outlook Express messages and contacts. The experience was fine, though: after setup, Windows Live Mail automatically searched for and found the right folders. Importing more than 10,000 e-mails took about 15 minutes.

Now that Salesforce.com has proved that SaaS (software-as-a-service) is a successful business model, the company hopes to lead the way in cloud computing.

Many in the software industry consider cloud computing -- offering a development infrastructure as a service -- to be the next step in the move away from packaged software.

Salesforce.com Chairman and CEO Marc Benioff stopped in New York this week to proselytize about why customers should use his company's Force.com platform, which offers application development in the cloud, over traditional application-development infrastructure.

Benioff is well-known for promoting his company's service-oriented strategy as the wave of the future, and he has positioned Force.com as the greatest thing to happen to application development since Visual Basic. However, given the emerging trend toward platform-as-a-service, Benioff and company appear to be on to something.

Salesforce.com's hosted development platform is gaining traction among companies that don't want to spend time and money investing in on-premise software infrastructure or for those that can't afford to because of budget constraints, said business customers who have used Force.com.

And as business customers become more comfortable with hosting and developing applications in the cloud, Force.com could displace traditional on-premise development infrastructure offered by the likes of Microsoft, Oracle, and IBM for some customers, especially those in the SMB market.

Platform-as-a-service got a big boost last week when Google introduced App Engine, joining Salesforce.com and Amazon.com, with its Elastic Compute Cloud (EC2), as early entrants in the space. However, neither Amazon.com nor Google is particularly focused on business customers, which is what differentiates Salesforce.com and could give it a better chance of competing with Microsoft and IBM for corporate developers.

Still, customers and analysts cite a few key challenges for persuading businesses to build applications on a hosted platform like Salesforce.com's or Google's. Among them, according to RedMonk analyst Michael Cote, is that a traditional IT department will feel displaced when managers inform them their coding skills and abilities to integrate complex development infrastructure are no longer needed.

"If you're an IT department in a big enterprise, it makes you wonder what your job is going to be," he said.

Jeremy Roche, CEO of CODA Financials, ran into that problem when he told his IT department that the company would be building a new version of its ERP (enterprise resource planning) and accounting applications in the cloud on Force.com. But there was no other option for the company, which would have needed "50-plus developers," millions of dollars and two years to build the infrastructure to do the development that was required, he said during a presentation at Salesforce.com's New York event.

"I didn't want to have to talk to shareholders" about that, said Roche, whose company has headquarters in the U.K.

CODA repurposed some Java developers and trained them on the Force.com platform, since, according to Roche, the development model is similar to Java. It took less than a month to train them, and they completed Coda2Go in about six months. If the company hadn't used Force.com, "we'd still be building the infrastructure right now," Roche said in an interview.

Roche also addressed another chief complaint of cloud-computing critics -- vendor lock-in. Many people are not keen on the idea of turning over the management of their application code and development platform to one company when they're used to the idea of developing and maintaining applications on premise.

But whether his company built its application on Microsoft or Oracle or SAP, there would still be a certain amount of lock-in to that platform in terms of maintaining it over the years and depending on that vendor for upgrades, Roche said.

"You can't create a way of not getting locked into Oracle or SAP," agreed Narinder Singh, founder of Appirio, a Force.com customer based in San Francisco. Appirio provides consulting for companies about how to use on-demand services and offers applications that connect the dots between Google Apps and Salesforce.com.

Singh, who previously worked at SAP, said the biggest barrier to winning over chief information officers with the platform-as-a-service notion is to break through preconceived notions of how software should be built.

"I can't overemphasize that enough. You have to get to where someone will say, 'I've never seen enterprise software before' to win them over," Singh said.

Singh acknowledged that in the early adopter phase of platforms such as Force.com, new applications will inevitably be tied to Salesforce.com's salesforce automation service. But eventually, companies will start to see the value of building applications in the cloud that can stand on their own, and other traditional application-development companies like Microsoft will have to respond with their own platform-as-a-service offerings.

Another criticism of Force.com is that building applications in its Apex development language and on an intrinsically proprietary platform doesn't give developers as much flexibility in creating applications as they would have using on-premise Java or .Net infrastructure.

Jonathan Snyder, CTO of Dreambulider Investments, agreed that "there are limitations" to writing applications on Force.com. But for the 10-person mortgage investment company in New York, the time and cost savings far outweigh those limitations.

"For us, we're a small company, we don't have the resources to focus on buying servers and developing from scratch," he said. "For us, Force.com was really a jump-start."

Companies such as Snyder's, as well as those in the midmarket, are certainly in the sweet spot for Force.com, said RedMonk's Cote.

"It seems to me that the real advantage of the platform as a service is ... in the midmarket," he said. "It's something they can afford to use. That's one of the more positive, exciting aspects of it. Hopefully, it opens up these features to a wider market of people."

In his presentation this week, Salesforce.com's Benioff recognized the possibilities of a platform such as Force.com not only for smaller businesses in the U.S., but also for companies in developing countries where building software-development infrastructure is cost-prohibitive.

Software development "has been expensive, complex and risky" and "does not serve emerging countries," he said. "Cloud computing offers a different choice."

Now for Salesforce.com, Google and others in the emerging market for cloud computing infrastructure, it remains to be seen how many businesses are willing to make that choice.

Psssst ... Hey, you over there! Yeah, you. Wanna buy some F-14 components? According to the Government Accountability Office, purloined military equipment can be found online at eBay or Craigslist. Seems like it was a week for wild-and-woolly Internet-related news. SANS Institute researchers found a software tool that uses Google's search engine to sniff out sites that have vulnerable applications, University of Washington researchers found that a small portion of Internet traffic is messed with by ISPs, and a Chinese hacker group is calling for a denial-of-service attack as a protest of the protests related to the upcoming Beijing Olympics.

[ Video: Review the week in tech news with the World Tech Update ]

1. GAO: Stolen U.S. military gear sold on eBay, Craigslist: In the market for body armor, night-vision googles, or protective gear in the event of a nuclear or biochemical attack? Well, who isn't these days? Such goods are easy enough to find, as it turns out -- all it takes is an online trip to eBay or Craigslist, according to the Government Accountability Office (GAO), which found a variety of stolen U.S. miliary equipment for sale at those sites. GAO undercover investigators sniffed around between January 2007 and March 2008 and turned up an impressive list of purloined military goods, including F-14 aircraft components, a U.S. Army combat uniform complete with accessories, body armor vests, and night-vision goggles that contained a component that identifies friendly fighters wearing infrared tabs. Executives of both companies appeared before a congressional subcommittee investigating the matter and insisted they have strong antifraud efforts in place.

2. Chinese hackers poised for anti-CNN attack on April 19: Chinese hackers have apparently called for a denial-of-service attack against CNN's Web site on April 19, as well as for street protests in Germany, France, the Netherlands, and the U.K. as a counter to media coverage of demonstrations against the upcoming Olympics in Beijing. Protesters have turned out in recent weeks as the Olympic torch has made its jog around the world, with demonstrations focused on Tibet and human rights violations in China. The Chinese site, Anti-CNN, doesn't much care for what it says are lies and distortions in Western media coverage of China and the attendant protests and so has called for a protest of its own.

3. Don't skip Vista, Forrester study says: Companies should get going on migrating client desktops to Microsoft's Vista operating system, and those without plans to update should rethink that decision, an independent study from Forrester Research urges. With a lot of talk about companies forgoing Vista and planning OS migration around the forthcoming Windows 7 release, Forrester sets out why that's not a good idea. Chief among those reasons is that Microsoft plans to end support and security patches for Windows 2000 and XP with Windows 7 not expected out until 2010 at the earliest. Forrester also noted that Vista does have features and capabilities, including security functions and user enhancements, that make it worth using.

4. FCC Net neutrality hearing draws diverse views: Network neutrality isn't just about keeping Internet pipes open -- it involves issues as diverse as copyrights, Internet investments, entertainment choices and freedom of religion, according to those who testified at a U.S. Federal Communications Commission (FCC) hearing this week at Stanford. FCC commissioners weighed in with different stances on the subject, with some warning of a need for government intervention and others urging the government to stay out of it. "The dynamic Internet, perhaps the most expansive and liberating technology since the printing press, is, in fact, under threat," said Commissioner Michael Copps, who is a Democrat. "We will keep it open, we will keep it free, only if we act forcefully to make that happen." In the second of its public hearings on the matter, the FCC heard about service providers who have blocked content from going over their networks, including comments from Michele Combs of the Christian Coalition of America, who said that Comcast blocked sharing a digital text of the King James Bible and could block online programming from her group to promote its own Christian-focused channel.

5. SANS solves mystery of mass Web site infections: The SANS Institute discovered a software tool that uses Google's search engine to find Web sites running some types of vulnerable applications, Bojan Zdrnja said on the SANS blog, calling the finding a "rare gem." The discovery is helping researchers understand how 20,000 Web sites have been hacked so far this year. "While we had a general idea what they do during these attacks, and we knew that they were automated, we did not know exactly how the attacks worked or what tools the attackers used," Zdrnja wrote.

6. Oracle to expand SAP lawsuit, may target execs: Oracle plans to file a second amended complaint against rival SAP and its TomorrowNow subsidiary, alleging "a pattern of unlawful conduct that is different from, and even more serious than" charges made in its original lawsuit filed a year ago. The amended complaint will allege that TomorrowNow employees stole software applications from Oracle with the knowledge of SAP executives. The original lawsuit contends that TomorrowNow employees pretended to be Oracle customers so that they could obtain software patches and other materials from a Web site for Oracle support. Those materials were used to undercut Oracle prices and to lure customers to ditch Oracle for SAP, Oracle claims. SAP has steadfastly denied that its executives knew anything about any alleged shenanigans aimed at Oracle, which hasn't named names yet. "It appears that SAP AG and SAP America knew -- at executive levels -- of the likely illegality of TN's business model from the time of their acquisition of TN and, for business reasons, failed to change it," Oracle alleges. SAP counters that Oracle is exaggerating, filing "press releases" under the guise of court papers and trying to keep the case going longer than it should.

7. Microsoft confirms testing of 'Albany' low-cost Office suite: Microsoft will release a subscription-based productivity software suite and has distributed a beta version to testers. Code-named Albany, the suite will combine Office Home and Student 2007; Office Live Workspaces; Windows Live Mail, Messenger, and Photos client software; and Windows Live OneCare. The suite will be aimed at -- you guessed it -- Google Docs and other free or low-cost productivity software suites. Microsoft doesn't plan a public beta for Albany, which it plans to release by year's end.

8. Storm clouds looming for Internet, experts say: A shortage of IP addresses, strains on routing tables, and other challenges to Internet growth and effectiveness were top of mind for attendees at the annual FutureNet conference, which focuses on communications services. The IP address problem could hit within the next few years and owes to IPv4 running out of capacity to meet demand. That version of IP provides some 4.7 billion possible IP addresses, but the explosion of Internet growth means that the shortage will be real and has reached "crisis" proportions, according to Akinori Maemora, chairman of the Asia Pacific Network Information Centre. "Most people in the world are still in a state of denial about it," said Tony Hain, Cisco Systems' IPv6 technical leader. IPv6 is the next version of IP, which will provide more capacity and help alleviate some of the crunch, but not for long.

9. CEO subpoena scam fires up anew: Several thousand corporate executives were tricked into downloading malicious software early in the week, and that success apparently led miscreants to toss out the phishing scam on a smaller scale a few days later. The scam involved sending e-mails to senior executives, including some CEOs, telling them they had been subpoenaed in a federal court case. Clicking on the e-mails would take executives to a site similar to a legitimate federal court home page in California. The targeted scam uses names of executives, as well as the names and correct phone numbers of their companies. So, perhaps a reminder is in order that although the U.S. court system uses e-mail for some communications and allows electronic filings and the like, subpoenas are still delivered the old-fashioned way.

10. ISPs meddled with their customers' Web traffic, study finds: Ha! We knew it! Some Web pages are changed in transit, at times in harmful ways, say researchers at the University of Washington. OK, so this unsavory practice happens to only about 1 percent of Web pages, and only a small number of ISPs are putting ads into Web pages that go over their networks, but still.... The researchers also discovered that certain Web-browsing and ad-blocking software puts security vulnerabilities into pages, making surfing the Web more dangerous. "The Web is a lot more wild than we originally expected," said Charles Reis, a Ph.D. student at the university and co-author of a paper about the finding that ISPs mess with customer traffic.

Apple has changed its software update tool for Windows users so that it separates updates for already-installed programs from offers to install new software.

Last month, John Lilly, Mozilla's CEO, took Apple to task for using the update tool, familiar to Windows users as the mechanism for updating iTunes, to push the Safari browser to people who had not previously installed the program. Lilly said the practice "undermines the Internet" and "borders on malware distribution practices."

Lilly's comments, which appeared in a blog post, raised a furor, with Apple defenders calling his criticisms, among other things, a "mountain out of a molehill" and a "load of crap."

Apple has updated the Windows utility, dubbed "Software Update," to version 2.1. That version features a split-pane displays that lists "Updates" atop and "New Software" below. On Windows XP and Vista machines sans Safari, for instance, the Apple browser appears in the New Software section, with its selection box pre-checked.

Mozilla noticed the change.

Asa Dotzler, Mozilla's director of community development, said the move was "an important, though not sufficient, improvement" and called on Apple to go a step further. "Now Apple needs [to] stop checking the box for 'New Software' items by default," he said in a post to his blog.

In his March reproach of Apple, Lilly had also brought up the checked-by-default box; today he echoed Dotzler. "Good change! A bit more to do..." he wrote on his blog.

It's unclear when Apple first started offering Software Update 2.1; there was no mention of it on Apple's Web site, for example. On Windows Vista, however, the installed tool carries a date stamp of April 11.

"In this latest release we have made it easier for customers to identify between software updates and new applications," said Apple spokesman Anuj Nayar. He declined to comment on whether Apple made the change in response to last month's criticisms, or if it would consider Mozilla's request to deselect the Safari install box.

Apple updated Safari to 3.1.1 yesterday, fixing four flaws in the Windows version and two in the Mac edition. One of the two bugs on the Mac side had been used in a hacker contest last month by a researcher who took home a $10,000 check and the MacBook Air notebook he hacked.

In the latest of a long line of data and storage-related buys, IBM said Friday it has acquired Diligent Technologies for an undisclosed sum.

Diligent, which has offices in Framingham, Mass., and Tel Aviv, is known for its de-duplication technology, a technique for saving storage space by eliminating redundant data, such as multiple copies of the same e-mail attachment within an e-mail archive. The company's ProtecTIER product employs an in-line de-duplication engine that does the work as data is brought into a system, not after the fact, which saves time, according to Diligent's Web site.

Diligent's technologies and its workers will be brought under IBM's system storage business unit within the systems and technology group.

One observer questioned whether the Diligent deal could hurt players such as Hitachi Data Systems, given that it has been reselling ProtecTIER.

"Now that the IBM acquisition of Diligent Technology appears to be all but a done deal, where does that leave HDS and their customers, as HDS is now left without a viable de-duplication technology in one of the hottest sectors in data storage?" wrote Jerome Wendt, president and lead analyst of DCIG, a consulting firm, on his blog.

The buy marks the third storage-related grab by IBM in just the past few months, following its moves to acquire XIV and FilesX. IBM, which posted strong second-quarter earnings on Wednesday, said the Diligent deal is also part of its planned earnings-per-share growth strategy.

De-duplication is seen as a hot trend within the storage space. The 451 Group last year predicted the market sector could grow to $1 billion by 2009. The space includes a range of independents such as ExaGrid, along with major vendors like Symantec.

Oracle also features the capability in its flagship 11g database, and Sun Microsystems recently made a de-duplication announcement as well.

Bull has a gadget for businesses worried about the security of data stored on laptops: a bootable, portable password-protected hard disk drive with an embedded cryptographic processor that protects data if the device is lost or stolen.

Globull (pronounced globule) is a bright red package about the size and weight of an iPod Classic. It has a color display, houses a 60GB hard disk drive and has a USB 2.0 cable that wraps around the device for storage.

Plug it into any PC that can boot from an external USB 2.0 drive, switch on the computer, enter your password on Globull's tiny touch-sensitive display, and you have access to your regular working environment, applications and data. Switch off the computer again and you can take your data away without leaving a trace, according to Bull.

Most recent PCs have the ability to boot from an external USB (Universal Serial Bus) drive -- although IT managers may have chosen to disable this option in the BIOS settings for security reasons: it's not always desirable if staff can boot up an operating system of their choice, bypassing antivirus or other security software installed on company PCs.

The 120-gram Globull package contains the hard disk and a cryptographic processor that scrambles data on the fly at 100Mbps, using the Advanced Encryption Standard with a 256-bit key (AES-256), protecting the data if the disk is lost or stolen. Without the password, the data cannot be decrypted.

Bull envisages a number of scenarios in which the drive could be useful to secure data: mobile workers with their own laptop; staff working on shared PCs, or for performing demonstrations on a client's computer. The company suggests installing a complete operating system -- Windows or Linux -- and applications on the device, but warns buyers to ensure that their existing software licenses allow such a use.

For now, Bull is offering the device only in France, but despite the defense-level encryption it contains, there's no legal reason why it can't be sold elsewhere, said company spokeswoman Anne Marie Jourdain: Bull just preferred to concentrate on France first, and an international launch is planned for the second half of the year, she said.

Globull has a price tag of ¬460 ($685), but the price is negotiable in quantity, Jourdain said.

PayPal, eBay's electronic payment service, plans to take the dramatic step of locking out people using older versions of Web browsers in order to stem phishing attacks.

PayPal said a "significant" group of people still use Microsoft's Internet Explorer 3, released in 1996, and IE 4, which debuted in 1997. Those browsers lack a phishing filter, which can block users from accessing a reported phishing Web site.

"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts," according to a paper released during the RSA security conference in San Francisco earlier this month.

It also could mean eventual trouble for users of Apple's Safari browser, which has no phishing filter. In February PayPal warned users to stay clear of Safari.

Phishing sites are designed to look like the legitimate Web sites of major brands such as banks and seek to elicit financial and personal information. Users are often lured to the sites through unsolicited e-mail, or can unwittingly land on one if a phisher has bought a domain with a convincing-looking name or one with slightly differently spelling.

PayPal has been one of the brands hit hard by phishing since the service allows people to transfer money. The company has taken steps to strengthen authentication controls and worked with ISPs

(Internet service providers) to block e-mails purporting to be from PayPal but lacking a valid digital signature.

PayPal said it plans to warn users who come to its site that they are using an old browser. Eventually, those users will be blocked, although the company did not say when.

The plan won't necessarily prevent a person from being victimized by a phishing attack. A user could still be duped by an e-mail with a link to a phishing site and then divulge their details.

But by preventing access to its site, PayPal hopes those users will then upgrade their browsers, which will then give them an additional security protection against phishing.

Internet Explorer 7, Firefox 2, and Opera 9 have phishing filters, but Apple's browser -- Safari -- does not. Safari also does not support Extended Validation SSL (Secure Socket Layer) Certificates, issued to Web sites that have been vetted as legitimate.

For Web site with that certificate, IE shows a green bar. Firefox's address bar changes with white to beige and Opera denotes a safe site.