Sign In
Register
Help
Post your comments for Inside Safari 3.2?s anti-phishing features here
Inside Safari 3.2?s anti-phishing features
MultiQuote
#2
mrbach 
- Member
-
- Group: Members
- Posts: 393
- Joined: 27-August 04
Posted 25 November 2008 - 04:52 AM
Then perhaps it is up to someone in Canada to take the issue up with Apple Canada. There are very strict privacy laws in this country, and it is the law to disclose how you collect and use information.
#6
adavies42
- Newbie
-
- Group: Members
- Posts: 5
- Joined: 25-November 08
Posted 25 November 2008 - 09:16 AM
interested parties are free to do the research before running it. (since it doesn't block anything else at google, they're even free to do so afterwards. ;-) ) seriously, anyone who can get to the end of an article involving digging into hashed directories in /private/var ought to be able to be trusted with a terminal.
i do apologize for the dupe though; i'm new around here, and it looks like there are some quirks to the display of new comments on the main page of an article that i'll need to get used to. (i tend to assume that if a complete reload (i.e. by url, not by cmd-r) of the page doesn't include my comment, something went wrong. what i get for hanging around tuaw, i suppose?)
i do apologize for the dupe though; i'm new around here, and it looks like there are some quirks to the display of new comments on the main page of an article that i'll need to get used to. (i tend to assume that if a complete reload (i.e. by url, not by cmd-r) of the page doesn't include my comment, something went wrong. what i get for hanging around tuaw, i suppose?)
#8
southerly
- Newbie
-
- Group: Members
- Posts: 1
- Joined: 25-November 08
Posted 25 November 2008 - 09:37 AM
I do find it interesting that someone can dig through the system like that to find out what is being used, but can't read a license agreement. In it Apple sets out their use of data an privacy, and includes this at the end:
C. Use of the Google Safe Browsing Service is subject to the Google Terms of Service (http://www.google.com/termsofservice.html) and to Google's Privacy Policy (http://www.google.com/privacypolicy.html).
C. Use of the Google Safe Browsing Service is subject to the Google Terms of Service (http://www.google.com/termsofservice.html) and to Google's Privacy Policy (http://www.google.com/privacypolicy.html).
#9
lkrupp
- Member
-
- Group: Members
- Posts: 226
- Joined: 30-December 04
Posted 25 November 2008 - 10:50 AM
southerly said:
I do find it interesting that someone can dig through the system like that to find out what is being used, but can't read a license agreement. In it Apple sets out their use of data an privacy, and includes this at the end:
C. Use of the Google Safe Browsing Service is subject to the Google Terms of Service (http://www.google.com/termsofservice.html) and to Google's Privacy Policy (http://www.google.com/privacypolicy.html).
C. Use of the Google Safe Browsing Service is subject to the Google Terms of Service (http://www.google.com/termsofservice.html) and to Google's Privacy Policy (http://www.google.com/privacypolicy.html).
Are you kidding? It's much easier to bash Apple than to actually read the fine print. Also ironic is the fact that the very people who have been ragging on Apple to include anti-phishing protection in Safari because "every other major browser already has it" now are criticizing its implementation and are scurrying to find ways to turn it off permanently. I guess I'll never understand this mentality. Macs users are indeed "different".
#10
dreyfus
- Member
-
- Group: Members
- Posts: 579
- Joined: 05-January 06
Posted 25 November 2008 - 11:52 AM
I am really sorry Apple gave in to the pressure to include such nonsense. Anti-Phishing tools in the browser are the worst possible thing for safety. The only thing required to avoid becoming a phishing victim is education and a brain to receive it. Any gimmicky warning windows in the browser will just make people rely on them - almost no single OS component (OK, it is not - but it comes with the OS) has been the target of more attacks than the browser. So - if your machine is safe and your passwords are any good (say you do not use your dog's name and have the machine running with a public IP address, or route to it via dynamic DNS with all ports open) - then you might be able to assume your browser has not been tampered with. Question is: With more and more people leaving home machines running and highly exposed (just to e.g. access their documents or iTunes libraries from on-the-go) and obviously little education on access rights and password safety (even OS X makes you an administrator to start with) - this is a recipe for disaster?
EV SSL certificates are equally pointless. They are good business for the likes of Verisign - at least they cost a fortune and provide no added security and had been compromised within weeks on the market. The absolutely only thing EV SSL is good for, is to enable richer companies to appear as safer companies - 0% truth and 100% fiction here.
Apple could easily enhance security more sufficiently: 1. Add a safe password generator to the system (or include 1Password with each copy of OS X) - people cannot enter passwords they cannot remember on the wrong sites and 1Password will not give them away if the URL is no match). 2. Make default OS X installs create an administrator and a regular user account. OS X has fast user switching - logging in as an administrator for software installs is a minor pain for more safety.
And finally - and most important: Do not allow these companies (banks, payment services, CC companies) to offload their responsibility onto the users. They make loads of money and you do all the work? Nope. 1. Demand secure systems and demand two-factor authentication (PIN/TAN via SMS, token generators, card readers, etc.) - a temporary transaction code with only a few seconds lifetime is useless for most/all phishing artists. Non-IT-savvy consumers should not be bothered with tracing IP numbers. 2. Follow and advertise a strict "No Email" policy - if the expected amount of email from the bank/service is zero, any email would raise concern (some few banks actually do this).
Seriously, we have 2008 and still all I need to steal somebodies money is a short glance at their credit card? It is not the browser programmers that should get serious here.
EV SSL certificates are equally pointless. They are good business for the likes of Verisign - at least they cost a fortune and provide no added security and had been compromised within weeks on the market. The absolutely only thing EV SSL is good for, is to enable richer companies to appear as safer companies - 0% truth and 100% fiction here.
Apple could easily enhance security more sufficiently: 1. Add a safe password generator to the system (or include 1Password with each copy of OS X) - people cannot enter passwords they cannot remember on the wrong sites and 1Password will not give them away if the URL is no match). 2. Make default OS X installs create an administrator and a regular user account. OS X has fast user switching - logging in as an administrator for software installs is a minor pain for more safety.
And finally - and most important: Do not allow these companies (banks, payment services, CC companies) to offload their responsibility onto the users. They make loads of money and you do all the work? Nope. 1. Demand secure systems and demand two-factor authentication (PIN/TAN via SMS, token generators, card readers, etc.) - a temporary transaction code with only a few seconds lifetime is useless for most/all phishing artists. Non-IT-savvy consumers should not be bothered with tracing IP numbers. 2. Follow and advertise a strict "No Email" policy - if the expected amount of email from the bank/service is zero, any email would raise concern (some few banks actually do this).
Seriously, we have 2008 and still all I need to steal somebodies money is a short glance at their credit card? It is not the browser programmers that should get serious here.
#11
macjournals
- Newbie
-
- Group: Members
- Posts: 9
- Joined: 31-March 05
Posted 25 November 2008 - 12:15 PM
Thanks for all the feedback. (Warning: we're attempting HTML in this post, so if it doesn't work, we'll talk to the Macworld folks and ask them to fix it for us.)
southerly: You have no idea how many pages of Apple information we went through on that weekend looking for disclosure of this, but we admit that it did not cross our mind to find it in the licensing agreement, and it should have. Still, while this is better than nothing, it doesn't meet our threshold for "disclosure" for a couple of reasons:
Aside from all this, we still have the problem that while Mozilla's privacy policy specifies that the data will not be used for any purpose other than to improve the service, Google's privacy policy does not. We did read Google's privacy policy as part of the research, and that policy explicitly states that Google may use information the company collects from your use of its services that don't require registration (like Safe Browsing) for the development of its own services, "including the display of customized content and advertising."
So while we're pleased that there is some disclosure, it's extremely minimal, it's not where you can find it, it's not "new" so comparing the new license to the old won't necessarily reveal it, it's not in the privacy policy, and it's not as strong as the Mozilla Foundation's policy for the same data.
That said, we still have the feature turned on here. We're satisfied, for now, that on a broadband connection, it discloses minimal information for a reasonable benefit. We just believe, strongly, that Apple must disclose how this works where people will find it, and in relevant places like the privacy policy, in the Safari application (even in the help files! help files are cheap!), and ideally, through a small notice when you turn on the feature (or a small link underneath the checkbox, like "read more about this," when it's turned on by default).
It's not necessarily an evil thing, but it's something customers should know. Thanks for providing more information.
lkrupp: We were not convinced of the value of EV SSL certificates either, and had no problem with Apple's non-plans to support them. We were just surprised that since eBay had made such a fuss over them, that Apple would choose to implement them without even mentioning the name of the feature. If you're going to try to win points by implementing a "standard," even one of controversial benefit, you lose out when you don't actually say you're doing it. It's clearly a boon to the companies that paid for the EV SSL certificates, and we have no problems with that as long as people don't panic when they see pages secured with domain-only certificates from smaller companies (like, for example, our own).
Thanks to everyone for the thoughtful and constructive comments!
southerly: You have no idea how many pages of Apple information we went through on that weekend looking for disclosure of this, but we admit that it did not cross our mind to find it in the licensing agreement, and it should have. Still, while this is better than nothing, it doesn't meet our threshold for "disclosure" for a couple of reasons:
- As far as we know, you can't actually read the Safari license agreement from within Safari. Your only shot at it is to read it before installation, or to know that you can find a PDF version of it online.
- Even if you find it online, the modification date on the agreement is 2008.08.19, more than three months ago, so you might not figure out that this last section has something to do with the new feature, because…
- The language describing the feature in Safari does not use the terms "Google" or "Safe Browsing," so unless you know what's going on from research like this, you don't know that this is a license for the use of the new "anti-phishing features."
Aside from all this, we still have the problem that while Mozilla's privacy policy specifies that the data will not be used for any purpose other than to improve the service, Google's privacy policy does not. We did read Google's privacy policy as part of the research, and that policy explicitly states that Google may use information the company collects from your use of its services that don't require registration (like Safe Browsing) for the development of its own services, "including the display of customized content and advertising."
So while we're pleased that there is some disclosure, it's extremely minimal, it's not where you can find it, it's not "new" so comparing the new license to the old won't necessarily reveal it, it's not in the privacy policy, and it's not as strong as the Mozilla Foundation's policy for the same data.
That said, we still have the feature turned on here. We're satisfied, for now, that on a broadband connection, it discloses minimal information for a reasonable benefit. We just believe, strongly, that Apple must disclose how this works where people will find it, and in relevant places like the privacy policy, in the Safari application (even in the help files! help files are cheap!), and ideally, through a small notice when you turn on the feature (or a small link underneath the checkbox, like "read more about this," when it's turned on by default).
It's not necessarily an evil thing, but it's something customers should know. Thanks for providing more information.
lkrupp: We were not convinced of the value of EV SSL certificates either, and had no problem with Apple's non-plans to support them. We were just surprised that since eBay had made such a fuss over them, that Apple would choose to implement them without even mentioning the name of the feature. If you're going to try to win points by implementing a "standard," even one of controversial benefit, you lose out when you don't actually say you're doing it. It's clearly a boon to the companies that paid for the EV SSL certificates, and we have no problems with that as long as people don't panic when they see pages secured with domain-only certificates from smaller companies (like, for example, our own).
Thanks to everyone for the thoughtful and constructive comments!
#12
richcon
- Member
-
- Group: Members
- Posts: 154
- Joined: 08-February 05
Posted 25 November 2008 - 03:11 PM
The date after I installed Safari 3.2, I visited a web site I maintain and immediately Safari's malware warning went off -- visiting this site could harm your computer. I visited the "more information" page to get info on the bad site, and it wasn't my web site, but a completely different one that's loaded with viruses.
So a quick look at the source of my page found that someone had injected an invisible IFRAME tag that loaded the malware site whenever someone visits my site. I checked the pages, and sure enough, they had just been hacked that day.
Without the Safari 3.2 update, I wouldn't have been alerted to the hack so quickly. I immediately removed the offending code, changed all my passwords, and had the site back up within a few minutes. Sweet!
So a quick look at the source of my page found that someone had injected an invisible IFRAME tag that loaded the malware site whenever someone visits my site. I checked the pages, and sure enough, they had just been hacked that day.
Without the Safari 3.2 update, I wouldn't have been alerted to the hack so quickly. I immediately removed the offending code, changed all my passwords, and had the site back up within a few minutes. Sweet!
#13
Cog3125
- Member
-
- Group: Members
- Posts: 52
- Joined: 07-November 08
Posted 25 November 2008 - 05:17 PM
In advance let me say that, yes, I realize this wasn't even close to the point the article was making, but my first reaction to hearing there's now anti-phishing in Safari was actually to sigh deeply.
Right from the very first time I heard them described, I've always been dubious of "anti-phishing" techniques as a long term strategy. I mean, maintaining a database of known phishing sites sounds superficially good, but... shouldn't it be taken as a given that "phishers" will frequently move their sites? So there's going to be a plentiful window of opportunity between the appearance of a new site and the time it hits the database to begin with.
And if a phisher abandons a site, how do you "know" this has happened? No way I can see. So, in theory, what do you do? Just keep filling the database more and more so it takes more computing power to drive it and ever longer response times to hear back from it? And if cached files need to be pushed across to the client at relatively frequent intervals, then eventually that has to add up to higher demands on clients as well.
OK, OK, sure. I know. It probably isn't bad right now, and I don't want to sound like I'm ringing alarms bells or anything, but try to look at it from a long term perspective, and it sounds like it can't help but go downhill in the future. It's certainly not likely to get better.
I guess, in a way, it's no different from anti-viruses... you can't ever stop scanning for past viruses, yet you keep having to add new signatures. It's just galling that your computer should spend ever increasing amounts of time having to scan for viruses (though of course, when I hear some people talk as though a Mac is somehow immune I can't help rolling my eyes and wonder if they've ever heard of Java).
Still, now you're talking something that affects network response times increasingly across every conceivable platform with web access, and that seems even more galling in its own way.
I'm not trying to say I have some terribly clever alternative or anything. I just saying... well, I guess I'm just saying that I'm galled.
Right from the very first time I heard them described, I've always been dubious of "anti-phishing" techniques as a long term strategy. I mean, maintaining a database of known phishing sites sounds superficially good, but... shouldn't it be taken as a given that "phishers" will frequently move their sites? So there's going to be a plentiful window of opportunity between the appearance of a new site and the time it hits the database to begin with.
And if a phisher abandons a site, how do you "know" this has happened? No way I can see. So, in theory, what do you do? Just keep filling the database more and more so it takes more computing power to drive it and ever longer response times to hear back from it? And if cached files need to be pushed across to the client at relatively frequent intervals, then eventually that has to add up to higher demands on clients as well.
OK, OK, sure. I know. It probably isn't bad right now, and I don't want to sound like I'm ringing alarms bells or anything, but try to look at it from a long term perspective, and it sounds like it can't help but go downhill in the future. It's certainly not likely to get better.
I guess, in a way, it's no different from anti-viruses... you can't ever stop scanning for past viruses, yet you keep having to add new signatures. It's just galling that your computer should spend ever increasing amounts of time having to scan for viruses (though of course, when I hear some people talk as though a Mac is somehow immune I can't help rolling my eyes and wonder if they've ever heard of Java).
Still, now you're talking something that affects network response times increasingly across every conceivable platform with web access, and that seems even more galling in its own way.
I'm not trying to say I have some terribly clever alternative or anything. I just saying... well, I guess I'm just saying that I'm galled.
#14
richcon
- Member
-
- Group: Members
- Posts: 154
- Joined: 08-February 05
Posted 25 November 2008 - 07:44 PM
Cog3125:
I imagine your concerns are probably why Google won't allow browsers to display a malware or phishing notice if their blacklist is more than 30 minutes out of date. Just because a site was hacked 40 minutes ago doesn't mean it's still hacked now.
Now, hopefully Google does a good job clearing sites once they go away or malware is removed.
I imagine your concerns are probably why Google won't allow browsers to display a malware or phishing notice if their blacklist is more than 30 minutes out of date. Just because a site was hacked 40 minutes ago doesn't mean it's still hacked now.
Now, hopefully Google does a good job clearing sites once they go away or malware is removed.
