PayPal excludes Safari from "Safer Browsers"

@ James -- James said:

"Short version for *real* security:
Turn off services you don't need.
Use an external device as your firewall."

This is UNTRUE. It does NOT provide REAL security but enhanced security. I do agree that Firewalls give many users a false sense of security.

Most exploits today evade ALL firewalls (whether they are a hardware firewall or not) by using "social engineering" techniques. e.g. Convince someone to visit a website hosting malicious code or convincing someone to open a EMAIL.

A great example is Safari TIFF exploit which iPhone Jailbreak authors used to INSTALL new firmware on your iPhone. You just needed to visit the website which had a specially crafted PICTURE. When Safari tried to display the picture, code executed jailbreaking the iPhone. It could have just as easily installed a torojan, virus, spyware or other malware.

A similar technique could be used to INSTALL software on your iPhone or Mac just by opening an EMAIL which had a specially crafted TIFF picture.

Most malware authors are using exploits in browsers, EMAIL clients and media players (e.g. QT) to install malware. Again, firewalls do not help protect you.

In my experience, Apple is the slowest in patching these exploits. MS and Linux developers are a lot faster.

What really bothers me is the Open Source community patches software used in Mac OS X and Apple often takes it time to update its software to employ the needed security patch. The TIFF security patch is a good example. Some may point to Samba as another example.

I type www.paypal.com
then enter
and what I see in the upper right corner?

Lock.

Internet Explorer is safe. Yeah right.
Maybe IE7 is better than IE6, but IE6 was considered the least secure browser, EVER, by many experts

On a semi-off-topic note, why do people insist on using Safari? As a web developer, I absolutely hate the thing. It renders nearly as bad as IE6 and makes my life a living hell if I want to "support" Safari.

Please guys, use a decent browser like Firefox.

What about OpenDNS. I set that up on my network and set it to block all phishing sites on the network. That way you don't have to depend on the browser.

www.opendns.com

Will the autofill feature and bookmarking for firefox help in avoiding phishing sites? Like for example, I bookmark paypal and use the autofill for logging into my account. I'm guessing it's safer because it only fills in the username and password in the right website. Is this correct?

I hope apple takes this seriously, the iPhone is pushing a lot of web traffic these days with it's Safari browser. That push could come to an end if its not deemed safe by traditional web standards.

If you're worried about phishing sites, switch your dns provider from your ISP to the one provided at http://opendns.com/

The phishing protection isnt even why I use it, its just overall an amazing freely offered product. TUAW should do a feature on it ;)

There IS a phishing filter in Safari 3, but it is currently disabled. I don't know why, but with some hacking you should be able to enable it just be writing some preferences. There is a lot of information in the Safari binary that will help people enable this. Just look around for com.apple.safari.phishing (2 results) and phishing.

I agree that apple needs phishing filters. I'm fairly savvy and have due amount of mistrust for most email. But my parents are just open prey to phishing scams. I can't seem to communicate to them what should be suspect with out making them feel like using a computer is just too much trouble. It's important for safari (or the OS) to help clue you in when something is suspicious.