When Apple released the Safari 3.2 update (see “Safari 3.2 Fixes Security Flaws”, 2008-11-13), they didn’t just address the usual collection of security flaws; it added two new security features, common in other browsers, that Apple has been recently criticized for lacking. For the first time, Safari 3.2 includes two anti-phishing features designed to protect users from accidentally (or purposely) visiting fraudulent Web sites. In typical Apple fashion, these features were essentially undocumented, but with a little investigation we’ve been able to determine how they work, and how much protection they offer Safari users.
The term “phishing” initially referred to spam email messages pretending to be from a known site, like your bank, designed to sucker you into visiting a fraudulent Web site that often emulated the legitimate site. The goal is to trick users into entering their login or account information, which the bad guys then use to drain the accounts. The first versions did little more than modify a Web link so it would display one address but really direct you to a different destination. While users and developers quickly figured out how to detect such a simple attack, the bad guys continually advanced their techniques to the point where they can fool even well-educated users. The definition of phishing also expanded to include essentially any fraudulent Web site that tries to collect your private information – from banks to online games.
One protection that’s become common to most Web browsers, including Firefox and Internet Explorer, is a warning when visiting known malicious Web sites. Every time you visit a Web site, the browser checks the address to make sure it’s not on a blacklist of known bad sites. If it’s clean, you never know this check occurred, but if the site is on the list your browser pops up a warning page and requires you to click a button to proceed.
Another relatively new protection in most browsers is support for Extended Validation digital certificates. Whenever you visit a secure Web site that activates the lock icon in your browser, you are using that site’s digital certificate to create an encrypted session. That certificate is unique for that site; if you don’t see a warning, that means the certificate was issued by one of the trusted authorities built into your browser, and that the address of the site matches the signed digital certificate (for more information on SSL see Chris Pepper’s “Securing Communications with SSL/TLS: A High-Level Overview” 2007-06-25). But it turns out it’s extremely easy for any site to get a digital certificate, and some phishers take advantage of this as an additional way to trick you into thinking their fake sites are secure. An Extended Validation (EV) certificate is a bit different. These are very expensive certificates that require the business to go through an in-depth vetting process to ensure that the certificate doesn’t just match a Web address, but matches the business behind it. In exchange, sites with EV certificates appear differently in Web browsers that support them.
Does It Help? Back in February 2008, Michael Barrett, the Chief Information Security Officer for PayPal, made waves by warning users to avoid Safari due to its lack of phishing filtering and support for EV certificates. Safari 3.2 addresses those criticisms by adding both features. Phishing filtering is provided by Google, and now when you attempt to visit a known bad site your browser displays a clear warning, and you have to click through manually to proceed. If you visit a site with an EV certificate, the name of the company now appears in green in the upper right corner of the browser, right next to the lock icon. Both features are active by default, although you can disable phishing filtering in Safari’s security preferences.
But, despite Barrett’s emphasis on these features, do they really make you more secure? The answer is a resounding “maybe.” A joint Harvard University and MIT study showed that users tend to ignore these visual warnings in their browsers. A second survey by an Internet service provider in the UK indicated that many users don’t even know what these indicators mean. Speaking as a security professional, it has been my experience that these sorts of visual signals provide only limited security benefits. Even well-educated users often ignore or miss these visual cues, assuming the cues are accurate in the first place.
This was perfectly highlighted for me mere minutes after I updated to Safari 3.2. Despite three layers of spam filtering on my TidBITS mail account, I received an obvious spam message claiming to be from the Canada Revenue Agency. I checked the site for malicious software, then visited it with Safari, Firefox, and Internet Explorer. Despite the phishing filters, not a single browser blocked the site. I checked with a colleague in the anti-spam industry who found the site in his company’s database (discovered 2 days previously), but it hadn’t yet been picked up by Google or the services powering Firefox and Internet Explorer. Over the next couple hours he sent me a few additional sites to test, and none of them triggered the phishing filter in any of the browsers. Not that the filter was worthless – he also sent me some sites that effectively triggered the warnings.
The problem with blacklists is that they only protect us from the bad sites we know about. If you rely on this mechanism to ensure you never visit a malicious site, your risk of being fooled by an unknown bad site is increased. In security (and science), we call this a false negative, and they can be far more dangerous than a false positive (a good site labeled as bad, which is more annoying than a security risk).
As for EV certificate support, I checked by visiting my bank and the indicator appeared as expected. The bad news is that I never really bother to look for a green banner, border, or label, no matter what Web browser I’m using. The only way I’d likely notice the lack of an EV certificate would be if I visited a fraudulent site and a big warning appeared, but that’s not how any browser currently works.
It’s commendable that Apple added these features to bring Safari up to the level of its competitors, but users shouldn’t rely on them as definitive protections from phishing. Just because a site isn’t blocked doesn’t mean it isn’t dangerous, and just because a site uses an EV certificate doesn’t mean you’ll remember to look for the visual indicator in Safari – or any Web browser.