Safari 3.2 Adds Anti-Phishing and Other Security Enhancements

Yesterday, Apple released Safari 3.2 for both Windows and Mac (Tiger and Leopard). As usual, Apple’s normal update announcements are a little short on details.

This update is recommended for all Safari users and features protection from fraudulent phishing websites and better identification of online businesses. This update also includes the latest security updates. For detailed information on the security content of this update, please visit this site:

The KnowledgeBase article about the security content of the update takes you to Apple’s main security page, which links to the Safari 3.2 security fixes. Most of the fixes are about arbitrary code execution but some are more subtle fixes to make sure that web pages don’t have access to local files.
The anti-phishing updates are two-fold. If you visit a malicious web site, Safari will warn you with the following dialog box:

Clicking on the “Learn more about phishing scams” link takes you to a web page that explains Strange Behavior and Malicious Software: Phishing attacks. Interestingly enough, this explanation is on rather than on Apple’s web site. I assume this means that Apple is using Google’s list of sites that they have identified as potentially dangerous, like you might see on some search results.

To go along with this, there is a new preference in the security panel to toggle this warning when you visit a fraudulent website.

The other change is a positive indication for sites that have taken the extra step to obtain an Extended Validation Certificate from one of the Certificate Authorities that have begun to do the extra background checks. If you visit a site that has one of these Extended Validation Certificates, Safari will display the site name next to the usual lock icon in green text, as you can see in this example from’s login page.

Not all sites with SSL certificates have these EVC credentials (my bank’s online site does not, for example). When you do see the notice, you can click on this green text to get more details on the site certificate (just as you can for other sites by clicking on the lock itself). Make a note of the “Class 3 Extended Validation SSL SGC CA” line in PayPal’s description below.

There are lots more features coming in Safari 4 which should implement much more of the HTML 5 specification and the new SquirrelFish javascript engine, but this is a small step towards that.