Mastering Safari, understanding security
Written by: Scott Haneda on Tuesday February 26th 2008, 2:00 am
Filed under: Applications, OS X 10.4, OS X 10.5, Safari
Web browsing can be a semi-hostile environment. I am sure most of you have heard at least one story where someone you know has been the victim of some online scam. In general, there are two core parts to online security.
First is whether the site you are connecting to is trustworthy. This can often be difficult to determine. Second is the data your browser collects as you browse the web. Safari has built in tools to help you keep your experience as safe as possible. With a little foresight and education, you can protect yourself from being taken advantage of.
Secure websites, SSL certificates, and the little lock
If you are performing any transaction online, where the data you are sending in is important to you, the website should be secure. I draw the line at bank data, credit card data, and social security numbers. If I am being asked that data, I insist the site is secure.
The simplest way to tell if a website is secured, is to look in the upper right corner of the browser, if you see a padlock, it is secure.
You can also look at the URL and see if it starts with “https“. Either of these identifiers, in most cases, will let you know the site is secure.
What does secure mean?
If you see the padlock icon, or the URL starts with “https”, the data you are transmitting can be considered encrypted. You can click on the padlock, and a sheet will pop down, showing you even more detailed data about the security of the site.
In all of my purchases on the web, I am yet to find a site claiming to be secure that is not. Spoofing, or tricking Safari into showing the padlock on a non-secure site is also a non-trivial task. Not to say there cannot be problems with the security, but you should be rather safe in knowing your data is being transmitted from your browser, to the remote website in a secure and encrypted method.
Security alerts
From time to time, you will visit a site that pops up a security alert in Safari. As you can see in the image below, this very alert pops up with an Amazon site.
What is important to know immediately, this does not mean the site I am about to visit lacks security. I will still be transmitting encrypted data. It simply means there is a problem in some way with the certificate that generates the encryption.
Two things can and will go wrong here.
In order to have a secure site, the website owner must purchase an SSL (Secure Socket Layer) certificate. Many companies sell these, but not all are known by Safari. These certificates come from what is called a CA, or Certificate Authority. In the case of the above example, if you click on “Show Certificate”, you can verify this.
As you can see, Safari tells me in red “The certificate was signed by an unknown authority”. In this case, I know to trust this site, so I can click continue. If I plan on coming back often, I can click off the checkbox to “Always trust” this site.
At other times, you will run into the same error, but Safari will tell you the certificate has expired. SSL certificates are valid for one year and onward. Sometimes they expire and the site webmaster has not had time to renew.
In either case, it is important to know, the data will be secure and encrypted, it is up to you to judge whether or not the site really is who they say they are.
Not all cases are safe
Seeing a padlock only means data is sent securely, it does not guarantee the site is who it says it is. In the image examples above, if the web address in the URL bar of Safari does not match that on the certificate, you know something is fishy.
A scammer will go to great lengths to make a website look like the real site you last remembered. They will even use URL’s such as e-b-a-y.com to try and confuse you. If you have any suspicions, ask someone before you proceed.
Personal security
Your computing environment will dictate how rigorous you need be with securing Safari.
Every page you visit in Safari is remembered for some period of time. You know this as your history. Small bits of data are stored in what are called cookies. Your entire past web browsing habits are being recorded by your browser, be it Safari, FireFox, or Internet Explorer.
Maybe you have a secret crush on Bill Gates. You of course want to keep this a secret. However, anyone who shares your computer with you could simply look in your history and trace the sites you visited. Possibly worse, you may have left yourself logged into your bank. This leaves you vulnerable to someone making changes to your bank account.
Safari has a very handy feature called “Private Browsing”. Everything from history, cookies, auto-fill entries, downloaded items, and even searches, are cleared from Safari as soon as you close the window, or quit Safari.
You enable this feature in the Safari menu, by selecting “Private Browsing”.
A window will pop up that explains in detail, just what this feature is doing.
This does not mean you should enable this feature all the time. I personally use it when I am at a friend’s house, borrowing their computer. Or perhaps on a laptop when in travels. I generally trust the people I live with, and feel it is not needed at all times.
Private browsing is a feature of tradeoffs. Turning it on will certainly slow down Safari by a small degree. I only notice this slowdown on older computers. It definitely will inconvenience you, as Safari will have a very short-term memory about what you have been doing.
Consider Private Browsing a feature to use in cases where you personally feel it is warranted. I would not consider turning it on at all times unless you have a very specific reason to.
The web has all sorts of nasty back alleys. About the best advice I can give, is if you are at all suspicious, stop what you are doing, and ask around. You can come back here, ask in the comments, ask a more experienced friend, or do some online research. I assure you, nothing you are trying to do online, or purchase online, is worth the trouble of fixing a stolen identity.
If I had private browsing on and have forgotten a login and password, is there any possible way to dig that back out of my computer or is it gone forever?
Comment by Nathan 02.28.08 @ 9:35 amIs “Private Browsing” to be used basically any time you are doing a bank card payment or checking on your bank or investment accounts? Can you think of any other times it would be appropriate? Thank you for all these helpful tips.
Comment by Julius Hjulian 02.28.08 @ 2:32 pm@Nathan, if private browsing was on, you indeed will not have access to your password. Even were it not, you still may not be able to get to it.
Every site I am aware of, allows you to get your password, either by email, or by answering a set of questions. If you want to reply back here with the web address (URL) of the site, I can certainly see what I can do to help you out.
Comment by Scott Haneda 02.28.08 @ 7:09 pm@Julius, I do not use private browsing even when on my banking site. Banking sites tend to be rather protective, and will even auto log you out after a certain period of browser inactivity.
That being said, I have never seen one harmed by being overly cautious on the web.
Private browsing is more an issue of personal security. It will not help you keep your data secure from someone remotely hacking your bank site, or anyone doing anything remote.
Private browsing will prevent those with physical access to your computer, from being able to snoop around and find where and what you have been up to.
Comment by Scott Haneda 02.28.08 @ 7:12 pmPrivate Browsing is for erasing your trails and covering your tracks. This is primarily used for making you feel more secure about what browsing remnants are left on your system.
Also, very handy if you have multiple users on the machine (using the same log-in).
Not a feature I use personally as you have to reenter your user ID and passwords on all your sites every time you log in again.
@Boston, shame on you, then again, I guess I am one to talk with looking forward to this Paris Hilton BFF show 
RSS Feed
