Securing Safari

This is part five of this series on Securing Leopard. Nowadays web browsers make up a large portion of computer usage and, as such, are prime targets for attackers. Browsers also store a lot of data about browsing activity (history, cache, searches, etc), and it’s important to know how to manage that information. Note that most of these tips are privacy-related.

General Settings

Safari’s preferences (Safari -> Preferences) offer a number of settings which can be configured:

The two settings of interest on the ‘General’ tab are:

1. Remove history items: This allows you to configure Safari to automatically clear your history after a set period of time. Set this in line with your privacy appetite.
2. Open “safe” files after downloading: This option automatically mounts DMGs and unzips ZIP files after they’ve been downloaded. Although I do not know of any current issues, there has been an attack in the past where this feature could be used to execute arbitrary shell commands if a specially-crafted file was downloaded. I recommend keeping this unchecked.

Preventing Information Leakage

The next tab of interest in Safari’s preferences is ‘AutoFill’, where you can configure which types of information are automatically fed into web forms. I recommend keeping all of these unchecked, as a recent attack has shown that this feature can be used to extract information through your browser!

Security Options

The ‘Security’ tab offers a number of configuration options, a couple of which with a potential impact on privacy.

1. Fraudulent sites: Whenever you are about to browse to a web page, this option sends that URL to Google’s Safe Browsing service which tracks web pages with known malware. If you are a very novice user (or browse to a lot of random sites), this feature may actually benefit you. There has been much criticism surrounding Safe Browsing, however, as it provides Google with the entirety of your browsing activity… something many people are against. I keep this unchecked, but leave you to decide. The best advice is to only browse to web sites you actually trust, and to not click unknown links in emails or chats.
2. Location services: Some web sites offer services that allow you to share your location with others. In order to do so, this feature has been added into many web browsers. I am personally not a fan of such features, so leave this unchecked. If you do plan on using location-based features then feel free to turn this on. Safari will still need to ask for your permission before obtaining and submitting your location to any site!
3. Web content: All of these allow you to configure whether to allow plugins (such as Flash), Java, JavaScript, and pop-up windows. Most users will have all of these checked. There does exist malicious Flash, Java and JavaScript, so it’s not uncommon for some users to keep these disabled until specifically required. Firefox has a great plugin called No-Script which allows you to allow specific scripts on-the-fly. Unfortunately this doesn’t yet exist as a Safari Extension. Naturally, I don’t need to explain why it’s good to block pop-up windows. There are SOME sites that this clashes with, but you can temporarily disable this feature in the Safari menu.
4. Accept cookies: leave this as the default “Only from sites I visit”. Setting this to ‘Never’ will make it harder for web sites and stat services to track you, but be warned that most web sites that require you to log in will not work without cookies. Cookies can be cleared in the ‘Show Cookies’ window.
5. Non-secure Forms:  Always keep the last checkbox enabled. Some websites make the mistake of sending sending certain forms unencrypted, thus potentially leaking the information being sent. This option will ensure that you are at least notified before something like that happens.

Resetting Safari

Apart from the commonly known history purge (History -> Clear History), Safari has a useful feature called Reset Safari (in the Safari menu) which allows you to clear much of this information in one go. This allows you to clear locally-stored cache files, session cookies, and other browsing data.

One other Safari feature, Private Browsing, allows you to browse normally without recording the session’s history, cache, or cookies. This can be enabled in the Safari menu under ‘Private Browsing’. It’s worth being cautious anyway when using this, however, as recent research has shown that such features are not always perfect.

Next: Securing Leopard Checklist

Back: Privacy

Home