How secure is Safari?

Apple's Safari, released for the Windows platform in June 2007, is the second newest browser on Windows, behind Google's Chrome.

Settings and ciphers

An optional menu called Develop (which replaces the previous Debug menu option) can be added to the menu bar to speed up Web page development testing, but it also has significant global security impacts. The Develop menu allows the user to quickly open a current Web page in another installed Web browser or to change User Agent strings on the fly (to see how the change affects Web page rendering). Installed plug-ins can be viewed -- but not managed -- via an option under Safari's Help menu.

You can also disable local caching of downloaded content, thereby forcing all content to be re-downloaded when revisiting a Web page; disable images; disable CSS (which have been involved in more than a few exploits); and globally disable JavaScript. Disabling JavaScript prevents many malicious Web sites from functioning, but it's no panacea. Even with JavaScript disabled, one of the most obnoxious malicious Web sites I tried still managed to kick-start more than 40 instances of Safari in a few seconds, resulting in a de facto DoS attack on the test machine.

Safari is weaker than its competitors in several areas regarding digital certificates and SSL/TLS (Secure Sockets Layer/Transport Layer Security) traffic. Initially, in SSL/TLS negotiations, TLS with RSA and weak 128-bit RC4 keys are offered first and second in the cipher order. Worse, ECC (Elliptical Curve Cryptography), AES (Advanced Encryption Standard), and 256-bit keys are never offered as potential cipher choices; further, MD5 is offered first and more frequently than SHA-1, when it should be the other way around. It would seem that Apple hasn't been paying attention to crypto developments over the last few years.

Safari does warn of invalid digital certificates, but it isn't nearly as "in your face" as the other top browsers. It warns only once with a small pop-up message, whereas competitors alter the entire Web page with red or multicolored warnings. Come to think of it, maybe Safari has it right: better to display one warning than many for a single problem. But then Safari, unlike all its competitors, fails to point out Extended Validation (EV) certificates or, as Internet Explorer and IE do, to highlight the true domain name, making it more difficult to tell phishing sites from the real thing.

Hunting and phishing

Safari passed all of my browser and JavaScript security exams, negotiating my predefined lab trials, test suites on the Internet (including scanit and Jason's Toolbox), and real-world exposure to known-malicious Web sites without allowing any malware to be automatically installed (Safari's competitors fared just as well). The most malicious DoS Web site locked up Safari and the host machine, just as it did the other browsers, but Safari succumbed more quickly than the rest. Safari also fails to stop malicious URL moniker launches, used by attackers to automatically start helper applications they hope to exploit.

When Safari was first released, Apple touted the new browser as a secure alternative to Internet Explorer. As with all Internet Explorer alternatives, Safari's lack of native support for ActiveX controls does provide users with some protection. Safari's strong anti-phishing filters are also a plus.

But security is not Safari's strong point. Unfortunately, 26 separate vulnerabilities have been announced since March 2008, one-third of which would allow complete system access. Plus, there simply isn't a lot of security granularity to Safari. Security-minded users will have to decide if Safari's poor cipher support, lack of security zones, and absence of enterprise features for mass deployment and control can be overcome by its aesthetic benefits.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags web browserssafari

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger A. Grimes

InfoWorld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?