I've seen some very convincing PayPal phishing sites in recent years. I've also worried many times that friends and relatives less savvy in the ways of the phisher may inadvertently hand off a password or two and blame me – the one who talked them into a PayPal account to begin with – for the draining of their life savings. Thankfully PayPal shares my concern for said friends and family members and has published a guide to "Safer Browsers." Apple's Safari web browser, however, was not included in the list of recommended browsers.
This is not all that surprising, at least to anyone who's followed Safari security concerns. Despite having improved in certain areas, such as IDN spoofing, Safari still lacks some fundamental security features found in Internet Explorer (7+), Firefox and Opera. Features such as Extended Validation certificates are heavily promoted by PayPal, despite the warnings of critics who feel that many targets of phishing scams don't notice the green background in the URL field until it's too late -- if at all. Plugins like Saft do their bit, adding a few security features too. But until Safari catches up with IE and Firefox in the area of security, it's not likely that PayPal's list is going to include the otherwise spectacular browser.
[via Macworld]
Reader Comments (Page 1 of 2)
2-28-2008 @ 4:42PM
blinkcowz182 said...
I can't stand the phishing filter on IE7. It is always nagging me to check sites that are obviously legit. I don't know how it identifies possible fishing sites, but it does a poor job of it. To call Safari "behind" is just ridiculous. Maybe they should work harder to prevent those phishing sites from popping up?
Reply
2-28-2008 @ 4:44PM
Chris G. said...
Wasn't Safari 3 (and Mail) supposed to include phishing protection at some point, but it was pulled form the final releases with no explanation?
I know that is one reason why I use Firefox 3 (Beta 3) on my Mac. I can quickly see if a site is secure (address bar turns yellow) and I know there is phishing protection. Yes it isn't going to catch every phishing site, but the odds are better then not having any phishing protection at all.
Reply
2-28-2008 @ 4:51PM
Aaron Davies said...
Avoiding getting fished is simple: delete all email from financial companies that contains links. Anyone who does anything else has no one but themselves to blame if they get robbed.
Reply
2-28-2008 @ 5:38PM
Jon said...
My legitimate Bank of America emails actually contain login links. They're just asking for trouble.
2-28-2008 @ 4:54PM
Mo said...
Anti-phishing isn't a terrible idea—Firefox does it well enough.
EV is a complete waste of money, and every client I've dealt with knew as much without asking my opinion on it. Nobody cares if a site has an EV certificate, so nobody's going to shell out for one; vicious circle—which is a good thing, considering it's a flawed idea from the start. It's really just a moneymaking scheme for the big CAs (as if they don't earn enough already).
Reply
2-28-2008 @ 4:55PM
dashiel said...
bogus. IE7 is the only shipping browser to support EV! firefox and opera have committed to future versions supporting EV (firefox 3 for instance does), but this just whining from paypal in an attempt to get apple to divulge information about future versions.
just because apple doesn't blab about all their future features of safari doesn't mean it's not happening.
Reply
2-28-2008 @ 5:10PM
jigme said...
um... maybe slightly OT, but i don't get the "otherwise spectacular..." phrase. i really don't mean to be a basher - i'll use whatever works best, whoever makes it - but can anyone tell me any good reason to use Safari over (my long-time preference) Firefox?
I'm genuinely curious here - what are Safari's benefits over FF?
TIA.
Reply
2-28-2008 @ 5:15PM
Respondent said...
S
p
e
e
d
2-28-2008 @ 5:29PM
jigme said...
hmm. having conducted a non-scientific quick spin around the block, i'm preliminarily concluding that while
s
p
e
e
d
may be a fair summary of FF, Safari came in more like
...
...
...
...
speed
but that was definitely unscientific... i daresay there are benchmarks around someplace?
2-28-2008 @ 5:14PM
TEG said...
Paypal is only making sure that Idiots don't get screwed. I'll continue to use PayPal, because I'm smart enough to go to the site myself instead of following some link. Regardless, they are still full of crap.
Reply
2-28-2008 @ 5:36PM
Patrick said...
Everyone who is dumb enough to visit PayPal or a financial site through links or an insecure wifi connection won't give a s*** if there are any yellow buttons on his browser.
Reply
2-28-2008 @ 5:48PM
Marshall said...
Agreed. I know people who have responded to Nigerian wealth scam emails. These same people have asked me how to protect themselves from spammers and phishers (usually right after a special on the evening news). They are so blinded by something in the messages they get, that no amount of telling them not to click on things in their spam folder, or not to send any personal information over email is going to work. Some people have brains that just don't work right.
2-28-2008 @ 5:40PM
Rob said...
Safari is like swiss cheese. It is full of holes!!
I really do not think that Apple takes Security seriously. Hmm lets see:
1) Apple ships Leopard with the Firewall turned off! (What other OS did the same thing and regretted it?)
2) Apple changes the firewall in Leopard to a new untested application firewall so no matter what you do some ports are always left open!
3) Holes in Safari are used by hackers to jailbreak the iPhone JUST by visiting a website! (This hole was apparently caused by Apple failing to use the LATEST version of the Open Source libtiff library).
And so on..
Come on Apple. Start taking Security seriously!!
IMHO, Apple will NOT start to take security seriously until the public perception that Apple is a secure computer platform is shattered. And at the rate Apple is going that will take no time at all..
Reply
2-28-2008 @ 6:04PM
James said...
The lack of a firewall is only a problem if your system has remote exploits to begin with. They're almost certainly there, but don't hold your breath waiting for them to be discovered. And when you have the service running, you generally open a hole in the firewall defeating the purpose of having it.
Firewalls on a PC provide more of an impression of security than any actual security. To really protect your computer from remote exploits, never directly expose it to the internet. Use something like a NAT router, and explicitly and thoughtfully control what traffic you allow it to pass on to your computer.
Short version for *real* security:
Turn off services you don't need.
Use an external device as your firewall.
2-28-2008 @ 6:06PM
Joe said...
I agree that apple needs phishing filters. I'm fairly savvy and have due amount of mistrust for most email. But my parents are just open prey to phishing scams. I can't seem to communicate to them what should be suspect with out making them feel like using a computer is just too much trouble. It's important for safari (or the OS) to help clue you in when something is suspicious.
Reply
2-28-2008 @ 6:43PM
MysteryQuest said...
There IS a phishing filter in Safari 3, but it is currently disabled. I don't know why, but with some hacking you should be able to enable it just be writing some preferences. There is a lot of information in the Safari binary that will help people enable this. Just look around for com.apple.safari.phishing (2 results) and phishing.
Reply
2-28-2008 @ 7:27PM
Andrew said...
If you're worried about phishing sites, switch your dns provider from your ISP to the one provided at http://opendns.com/
The phishing protection isnt even why I use it, its just overall an amazing freely offered product. TUAW should do a feature on it ;)
Reply
2-28-2008 @ 7:32PM
x999x said...
I hope apple takes this seriously, the iPhone is pushing a lot of web traffic these days with it's Safari browser. That push could come to an end if its not deemed safe by traditional web standards.
Reply
2-28-2008 @ 9:01PM
Diego said...
Will the autofill feature and bookmarking for firefox help in avoiding phishing sites? Like for example, I bookmark paypal and use the autofill for logging into my account. I'm guessing it's safer because it only fills in the username and password in the right website. Is this correct?
Reply
2-28-2008 @ 9:33PM
ColonelSmith said...
What about OpenDNS. I set that up on my network and set it to block all phishing sites on the network. That way you don't have to depend on the browser.
www.opendns.com
Reply