Ask Securosis: Is Safari Less Secure?
This week, our question is courtesy of Allen:
… As a long time Mac user and an inspiring security professional (i am in the process of completing my CISSP certification), I found this article on Macworld’s web site to be very fascinating. If you could please comment on this on your web site and/or on your podcast would be very grateful.
The article in question, located here, is a very odd interview with Michael Barrett, PayPal’s chief information security officer.
Michael argues that the main reason Safari is less secure is its lack of anti-phishing features or support for Extended Validation SSL certificates. For you non-geeks, those are extra, higher cost, digital certificates that highly trusted websites can buy to prove they are who they say they are. A few snippets:
“Apple, unfortunately, is lagging behind what they need to do, to protect their customers,” Barrett said in an interview. “Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera.” … Unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites, Barrett said. Another problem is Safari’s lack of support for another anti-phishing technology, called Extended Validation (EV) certificates. This is a secure Web browsing technology that turns the address bar green when the browser is visiting a legitimate Web site. When it comes to fighting phishing, “Safari has got nothing in terms of security support, only SSL (Secure Sockets Layer encryption), that’s it,” he said. … Still, Barrett says data compiled on PayPal’s Web site show that the EV certificates are having an effect. He says IE 7 users are more likely to sign on to PayPal’s Web site than users who don’t have EV certificate technology, presumably because they’re confident that they’re visiting a legitimate site. Over the past few months, IE 7 users have been less likely to drop out and abandon the process of signing on to PayPal, he said. “It’s a several percentage-point drop in abandonment rates,” he said. “That number is… measurably lower for IE 7 users.”
This is complete and utter bunk. I’d like to reference an article at Dark Reading, on anti-phishing, and this one about a Harvard/MIT study:
APRIL 13, 2007 | The lock-and-key icon was broken. The site-authentication image was not there. A security message popped up, warning that the site was not properly certified. And still, more than half of them entered a password and tried to log in. That’s the bottom-line finding of a new study from researchers at Harvard University and MIT, who conducted a live test of banking users to measure the effectiveness of browser-based authentication and anti-phishing features earlier this year. The research is scheduled to be presented at the IEEE Symposium on Security and Privacy next month.
PayPal is completely off base- I highly doubt the lack of anti-phishing features correlates in any material way to Safari users dropping out of the sign in process. The level of assumptions in those statements is ridiculous.
Now, let’s look at Safari. The truth is, based on talking with security researchers. that IE7 on Vista is more fundamentally secure than Safari. I’m not sure about Firefox, but suspect it is also probably more fundamentally secure. But that almost doesn’t matter- the real world risk, today, of using Safari is extremely low. That could change instantly, at any given time, and probably will, but until then I feel comfortable using it for most of my browsing needs.
A bigger hole with Mac (or PC) browsing is QuickTime, which is in the midst of some rough times from a security perspective. But QuickTime runs in any browser, not just Safari.
My overall take? Most users don’t understand or care about anti-phishing notifications built into their browsers. Safari does lack security features available in competitors, and has had a few vulnerabilities this year, but real-world risk is low for now. Support for extended validation certificates is a nice to have feature, but probably won’t improve Safari security for the average user in any material way.
Not that we shouldn’t keep the pressure on Apple to keep strengthening the OS and browser, but I’d prefer they put more effort into sandboxing and other anti-exploitation defenses than little green borders when I visit someone willing to cough up an insane amount of cash to Verisign.