Filed under: Software, Apple, Security
PayPal excludes Safari from "Safer Browsers"
I've seen some very convincing PayPal phishing sites in recent years. I've also worried many times that friends and relatives less savvy in the ways of the phisher may inadvertently hand off a password or two and blame me – the one who talked them into a PayPal account to begin with – for the draining of their life savings. Thankfully PayPal shares my concern for said friends and family members and has published a guide to "Safer Browsers." Apple's Safari web browser, however, was not included in the list of recommended browsers.
This is not all that surprising, at least to anyone who's followed Safari security concerns. Despite having improved in certain areas, such as IDN spoofing, Safari still lacks some fundamental security features found in Internet Explorer (7+), Firefox and Opera. Features such as Extended Validation certificates are heavily promoted by PayPal, despite the warnings of critics who feel that many targets of phishing scams don't notice the green background in the URL field until it's too late -- if at all. Plugins like Saft do their bit, adding a few security features too. But until Safari catches up with IE and Firefox in the area of security, it's not likely that PayPal's list is going to include the otherwise spectacular browser.
[via Macworld]
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
blinkcowz182 said 4:42PM on 2-28-2008
I can't stand the phishing filter on IE7. It is always nagging me to check sites that are obviously legit. I don't know how it identifies possible fishing sites, but it does a poor job of it. To call Safari "behind" is just ridiculous. Maybe they should work harder to prevent those phishing sites from popping up?
Reply
Chris G. said 4:44PM on 2-28-2008
Wasn't Safari 3 (and Mail) supposed to include phishing protection at some point, but it was pulled form the final releases with no explanation?
I know that is one reason why I use Firefox 3 (Beta 3) on my Mac. I can quickly see if a site is secure (address bar turns yellow) and I know there is phishing protection. Yes it isn't going to catch every phishing site, but the odds are better then not having any phishing protection at all.
Reply
Aaron Davies said 4:51PM on 2-28-2008
Avoiding getting fished is simple: delete all email from financial companies that contains links. Anyone who does anything else has no one but themselves to blame if they get robbed.
Reply
Jon said 5:38PM on 2-28-2008
My legitimate Bank of America emails actually contain login links. They're just asking for trouble.
Mo said 4:54PM on 2-28-2008
Anti-phishing isn't a terrible idea—Firefox does it well enough.
EV is a complete waste of money, and every client I've dealt with knew as much without asking my opinion on it. Nobody cares if a site has an EV certificate, so nobody's going to shell out for one; vicious circle—which is a good thing, considering it's a flawed idea from the start. It's really just a moneymaking scheme for the big CAs (as if they don't earn enough already).
Reply
dashiel said 4:55PM on 2-28-2008
bogus. IE7 is the only shipping browser to support EV! firefox and opera have committed to future versions supporting EV (firefox 3 for instance does), but this just whining from paypal in an attempt to get apple to divulge information about future versions.
just because apple doesn't blab about all their future features of safari doesn't mean it's not happening.
Reply
jigme said 5:10PM on 2-28-2008
um... maybe slightly OT, but i don't get the "otherwise spectacular..." phrase. i really don't mean to be a basher - i'll use whatever works best, whoever makes it - but can anyone tell me any good reason to use Safari over (my long-time preference) Firefox?
I'm genuinely curious here - what are Safari's benefits over FF?
TIA.
Reply
Respondent said 5:15PM on 2-28-2008
S
p
e
e
d
jigme said 5:29PM on 2-28-2008
hmm. having conducted a non-scientific quick spin around the block, i'm preliminarily concluding that while
s
p
e
e
d
may be a fair summary of FF, Safari came in more like
...
...
...
...
speed
but that was definitely unscientific... i daresay there are benchmarks around someplace?
TEG said 5:14PM on 2-28-2008
Paypal is only making sure that Idiots don't get screwed. I'll continue to use PayPal, because I'm smart enough to go to the site myself instead of following some link. Regardless, they are still full of crap.
Reply
Patrick said 5:36PM on 2-28-2008
Everyone who is dumb enough to visit PayPal or a financial site through links or an insecure wifi connection won't give a s*** if there are any yellow buttons on his browser.
Reply
Marshall said 5:48PM on 2-28-2008
Agreed. I know people who have responded to Nigerian wealth scam emails. These same people have asked me how to protect themselves from spammers and phishers (usually right after a special on the evening news). They are so blinded by something in the messages they get, that no amount of telling them not to click on things in their spam folder, or not to send any personal information over email is going to work. Some people have brains that just don't work right.
Rob said 5:40PM on 2-28-2008
Safari is like swiss cheese. It is full of holes!!
I really do not think that Apple takes Security seriously. Hmm lets see:
1) Apple ships Leopard with the Firewall turned off! (What other OS did the same thing and regretted it?)
2) Apple changes the firewall in Leopard to a new untested application firewall so no matter what you do some ports are always left open!
3) Holes in Safari are used by hackers to jailbreak the iPhone JUST by visiting a website! (This hole was apparently caused by Apple failing to use the LATEST version of the Open Source libtiff library).
And so on..
Come on Apple. Start taking Security seriously!!
IMHO, Apple will NOT start to take security seriously until the public perception that Apple is a secure computer platform is shattered. And at the rate Apple is going that will take no time at all..
Reply
James said 6:04PM on 2-28-2008
The lack of a firewall is only a problem if your system has remote exploits to begin with. They're almost certainly there, but don't hold your breath waiting for them to be discovered. And when you have the service running, you generally open a hole in the firewall defeating the purpose of having it.
Firewalls on a PC provide more of an impression of security than any actual security. To really protect your computer from remote exploits, never directly expose it to the internet. Use something like a NAT router, and explicitly and thoughtfully control what traffic you allow it to pass on to your computer.
Short version for *real* security:
Turn off services you don't need.
Use an external device as your firewall.
Joe said 6:06PM on 2-28-2008
I agree that apple needs phishing filters. I'm fairly savvy and have due amount of mistrust for most email. But my parents are just open prey to phishing scams. I can't seem to communicate to them what should be suspect with out making them feel like using a computer is just too much trouble. It's important for safari (or the OS) to help clue you in when something is suspicious.
Reply
MysteryQuest said 6:43PM on 2-28-2008
There IS a phishing filter in Safari 3, but it is currently disabled. I don't know why, but with some hacking you should be able to enable it just be writing some preferences. There is a lot of information in the Safari binary that will help people enable this. Just look around for com.apple.safari.phishing (2 results) and phishing.
Reply
Andrew said 7:27PM on 2-28-2008
If you're worried about phishing sites, switch your dns provider from your ISP to the one provided at http://opendns.com/
The phishing protection isnt even why I use it, its just overall an amazing freely offered product. TUAW should do a feature on it ;)
Reply
x999x said 7:32PM on 2-28-2008
I hope apple takes this seriously, the iPhone is pushing a lot of web traffic these days with it's Safari browser. That push could come to an end if its not deemed safe by traditional web standards.
Reply
Diego said 9:01PM on 2-28-2008
Will the autofill feature and bookmarking for firefox help in avoiding phishing sites? Like for example, I bookmark paypal and use the autofill for logging into my account. I'm guessing it's safer because it only fills in the username and password in the right website. Is this correct?
Reply
ColonelSmith said 9:33PM on 2-28-2008
What about OpenDNS. I set that up on my network and set it to block all phishing sites on the network. That way you don't have to depend on the browser.
www.opendns.com
Reply