18 Comments

Summary:

Yesterday, Apple released Safari 3.2 for both Windows and Mac (Tiger and Leopard). As usual, Apple’s normal update announcements are a little short on details. This update is recommended for all Safari users and features protection from fraudulent phishing websites and better identification of online businesses. […]

Yesterday, Apple released Safari 3.2 for both Windows and Mac (Tiger and Leopard). As usual, Apple’s normal update announcements are a little short on details.

This update is recommended for all Safari users and features protection from fraudulent phishing websites and better identification of online businesses. This update also includes the latest security updates. For detailed information on the security content of this update, please visit this site: http://support.apple.com/kb/HT1222

The KnowledgeBase article about the security content of the update takes you to Apple’s main security page, which links to the Safari 3.2 security fixes. Most of the fixes are about arbitrary code execution but some are more subtle fixes to make sure that web pages don’t have access to local files.

The anti-phishing updates are two-fold. If you visit a malicious web site, Safari will warn you with the following dialog box:

Clicking on the “Learn more about phishing scams” link takes you to a web page that explains Strange Behavior and Malicious Software: Phishing attacks. Interestingly enough, this explanation is on Google.com rather than on Apple’s web site. I assume this means that Apple is using Google’s list of sites that they have identified as potentially dangerous, like you might see on some search results.

To go along with this, there is a new preference in the security panel to toggle this warning when you visit a fraudulent website.

The other change is a positive indication for sites that have taken the extra step to obtain an Extended Validation Certificate from one of the Certificate Authorities that have begun to do the extra background checks. If you visit a site that has one of these Extended Validation Certificates, Safari will display the site name next to the usual lock icon in green text, as you can see in this example from eBay.com’s login page.

Not all sites with SSL certificates have these EVC credentials (my bank’s online site does not, for example). When you do see the notice, you can click on this green text to get more details on the site certificate (just as you can for other sites by clicking on the lock itself). Make a note of the “Class 3 Extended Validation SSL SGC CA” line in PayPal’s description below.

There are lots more features coming in Safari 4 which should implement much more of the HTML 5 specification and the new SquirrelFish javascript engine, but this is a small step towards that.

  1. Patrick Santana Friday, November 14, 2008

    I like Safari very much. It is a great software; but I will keep Firefox until I have a decent plugin for my delicious at Safari. That the only reason.

    - Safari is faster than Firefox
    - Safari is more integrated with Mac than Firefox
    - Safari does not destroy my memory as Firefox

    Share
  2. HTML 5 client-side database support was added in Safari 3.1. It is not new to Safari 3.2.

    Share
  3. Anyone else having problems with SafariStand after this? It seems to be crashing Safari for me.

    Share
  4. only been using it for a half hour with safari stand but no crashes.

    Share
  5. Strange, mine crashes on startup, and pops up an error saying SafariStand is the likely culprit. Hmmm…

    Share
  6. [...] write up about the changes in Safari 3.2 which includes new anti-phishing [...]

    Share
  7. Safari 3.2 is working great here and I’d just like to second what Mark Rowe said about the HTML 5 database support, it’s not new and was there in 3.1.

    Share
  8. @Patrick – plugins are the main reason I continue to use Firefox as well. I rely on the delicious bookmarks and “Web Developer” plugins.

    @Mark – I apologize for the misinformation. I’ve made some edits to the article in response. I wrongly thought that the “show databases” button on the security preferences panel was new, along with the fraudulent websites warning checkbox.

    Share
  9. Can’t wait to see how well Safari will work after Apple actually debugs it.

    This release is based on an ancient version of WebKit, so it’s MUCH slower than the current and only gets 75/100 on Acid3.

    And, so far, it’s crashed half a dozen times on me… Viewing standard stuff, like eBay and CNN pages. (this on a fully updated Tiger system).

    Way to go Apple!

    Share
  10. Security enhancements are cool. Wow.

    jess
    http://www.privacy.de.tc

    Share

Comments have been disabled for this post