This is part five of this series on Securing Leopard. Nowadays web browsers make up a large portion of computer usage and, as such, are prime targets for attackers. Browsers also store a lot of data about browsing activity (history, cache, searches, etc), and it’s important to know how to manage that information. Note that most of these tips are privacy-related.
Safari’s preferences (Safari -> Preferences) offer a number of settings which can be configured:
The two settings of interest on the ‘General’ tab are:
- Remove history items: This allows you to configure Safari to automatically clear your history after a set period of time. Set this in line with your privacy appetite.
- Open “safe” files after downloading: This option automatically mounts DMGs and unzips ZIP files after they’ve been downloaded. Although I do not know of any current issues, there has been an attack in the past where this feature could be used to execute arbitrary shell commands if a specially-crafted file was downloaded. I recommend keeping this unchecked.
Preventing Information Leakage
The next tab of interest in Safari’s preferences is ‘AutoFill’, where you can configure which types of information are automatically fed into web forms. I recommend keeping all of these unchecked, as a recent attack has shown that this feature can be used to extract information through your browser!
The ‘Security’ tab offers a number of configuration options, a couple of which with a potential impact on privacy.
- Fraudulent sites: Whenever you are about to browse to a web page, this option sends that URL to Google’s Safe Browsing service which tracks web pages with known malware. If you are a very novice user (or browse to a lot of random sites), this feature may actually benefit you. There has been much criticism surrounding Safe Browsing, however, as it provides Google with the entirety of your browsing activity… something many people are against. I keep this unchecked, but leave you to decide. The best advice is to only browse to web sites you actually trust, and to not click unknown links in emails or chats.
- Location services: Some web sites offer services that allow you to share your location with others. In order to do so, this feature has been added into many web browsers. I am personally not a fan of such features, so leave this unchecked. If you do plan on using location-based features then feel free to turn this on. Safari will still need to ask for your permission before obtaining and submitting your location to any site!
- Accept cookies: leave this as the default “Only from sites I visit”. Setting this to ‘Never’ will make it harder for web sites and stat services to track you, but be warned that most web sites that require you to log in will not work without cookies. Cookies can be cleared in the ‘Show Cookies’ window.
- Non-secure Forms: Always keep the last checkbox enabled. Some websites make the mistake of sending sending certain forms unencrypted, thus potentially leaking the information being sent. This option will ensure that you are at least notified before something like that happens.
Apart from the commonly known history purge (History -> Clear History), Safari has a useful feature called Reset Safari (in the Safari menu) which allows you to clear much of this information in one go. This allows you to clear locally-stored cache files, session cookies, and other browsing data.
One other Safari feature, Private Browsing, allows you to browse normally without recording the session’s history, cache, or cookies. This can be enabled in the Safari menu under ‘Private Browsing’. It’s worth being cautious anyway when using this, however, as recent research has shown that such features are not always perfect.