Forgot your password?
typodupeerror
The Internet Businesses Apple

Inside Safari 3.2's Anti-Phishing Feature 135

Posted by kdawson
from the just-tell-us dept.
MacWorld is running a piece from MacJournals.com's for-pay publication detailing how the Safari browser's anti-phishing works. The article takes Apple to task for not thinking enough of its users to bother telling them when Safari sends data off to a third party on their behalf. For it seems that Safari uses the same Google-based anti-phishing technology that Firefox has incorporated since version 2.0, but, unlike Mozilla, tells its users nothing about it. "Even when phrased as friendly to Apple as we can manage, the fact remains that after installing Safari 3.2, your computer is by default downloading lots of information from Google and sending information related to sites you visit back to Google — without telling you, without Apple disclosing the methods, and without any privacy statement from Apple."
This discussion has been archived. No new comments can be posted.

Inside Safari 3.2's Anti-Phishing Feature

Comments Filter:
  • by Petersko (564140) on Tuesday November 25, 2008 @02:27PM (#25889115)
    In Apple's defense, they've never promised to do no evil. Their goal is to instill such unswerving devotion in their customer base that when they actually do some evil, it's here and gone in the news, and nothing has to change.

    So far, so good.
    • Re: (Score:1, Funny)

      Haven't you heard? Apple issued a press release stating that evil is "the new good."
      • Re: (Score:1, Offtopic)

        by Ihmhi (1206036)

        Yeah, they call it iEvil. It's pronounced how Obi Wan pronounces evil in A New Hope.

    • Is there any particular reason this is modded +5 Insightful?
    • by SanityInAnarchy (655584) <ninja@slaphack.com> on Tuesday November 25, 2008 @07:21PM (#25893257) Journal

      It's actually much simpler: Apple decides things for you.

      Good or evil, what's actually going on here is that Apple has decided that the Best User Experience (TM) will be best served by you surrendering personal information to Google -- that the benefit of privacy is far outweighed by the risk of phishing.

      Kind of like how Apple decided that the benefits of being able to install any software you want on a device (iPhone) are far outweighed by the risks of you installing something harmful.

      And for what it's worth, when you agree with Steve Jobs on the way things should be done, it's actually pretty amazing. Safari isn't a bad browser.

      But when you disagree with Steve Jobs, you have no recourse other than to suck it up or stop buying Apple products.

      • by Raenex (947668)

        Kind of like how Apple decided that the benefits of being able to install any software you want on a device (iPhone) are far outweighed by the risks of you installing something harmful.

        The royalties from selling applications via their store also might have something to do with it.

      • by mccabem (44513)
        This is "To whom it may concern" as I've seen similar "concerns/complaints" elsewhere...you just happen to be the one being quoted now:

        It's actually much simpler: Apple decides things for you.

        Kind of like how Apple decided that the benefits of being able to install any software you want on a device (iPhone) are far outweighed by the risks of you installing something harmful.

        ...just like every other OS developer.

        Compared to how Microsoft decides things will be -- 640K's enough, craptastic interface is "perfect", Internet is irrelevant, reinvent the OS from scratch every few years, etc, etc -- I'll take Apple's version (although not perfect) any day of the week.

        BTW, what the f**k is so important for you people to install "on your own" on your

    • by Swift2001 (874553)

      The point is, the method works to protect you against the great majority of phishing attacks. It works the same way as Google and Firefox. It is even less "threatening" than a google search. The proof of the idiocy of this attack is that it doesn't say anything substantial. It's not like they're selling your name or stealing from your bank account or selling your daughter to the slavers. The only thing they didn't do is "disclose" that in the process, a hashed database would be searched, and if it comes up

      • by mccabem (44513)

        If I had mod points, you'd have +1 right now.

        In addition to what you said, reading "complaints" like this in the "light of Microsoft's shadow" will also tend to put things into perspective.

        I'm glad to know about this new feature as it's the first I've heard of it. Also, as usual this seems to be a lot of hand waving around Apple for mostly no reason. I do hope that unchecking the "Warn when visiting fraudulent websites" checkbox actually turns off the whole feature.

        -Matt

        P.S. I think it could hav

    • by node 3 (115640)

      Not at all. Apple has done this sort of thing before, and whenever public opinion has been strong enough that they made the 'evil' choice regarding privacy, they've always corrected it. This happened with the initial iTunes mini store, it happened with the initial Safari bundling with iTunes, and they bypassed it altogether with the iTunes Genius (by choosing to be conservative in the first place).

      As people have noted further down, this isn't as much of a problem as it might seem. If what they are saying is

  • by nweaver (113078) on Tuesday November 25, 2008 @02:31PM (#25889173) Homepage

    The google service is designed to minimize privacy leaks. It downloads a coarse-hashcheck database (so Google learns nothing). And then if something hits, it queries a detailed hash.

    So unless you get a match on the coarse-hash database, Google learns NOTHING. And google only learns a hash if it matches, which is not very useful, AND google doesn't store this information unless it is a match with their detailed database.

    • by Petersko (564140) on Tuesday November 25, 2008 @02:37PM (#25889247)
      "The google service is designed to minimize privacy leaks. It downloads a coarse-hashcheck database (so Google learns nothing). And then if something hits, it queries a detailed hash."

      The problem is the lack of disclosure.
      • Apple isn't a very open company anyways. There is probably policy that it is better to say too little then too much. Do you really expect there will be a team of lawyers for every new update that comes out. Even a big company the size of Apple having every version be legally verified would sink it.

      • by AKAImBatman (238306) * <akaimbatmanNO@SPAMgmail.com> on Tuesday November 25, 2008 @02:58PM (#25889527) Homepage Journal

        The problem is the lack of disclosure.

        I'm going to play devil's advocate for a moment and point out that such disclosure is getting harder and harder to comply with. Especially when the web is seen as a collection of cloud services. Should that piracy map viewer posted yesterday disclose to every user that they will connect to Google Maps for map data? Does every website disclose that you are downloading ads from Google or Doubleclick before you visit? Does your favorite web forum notify you that you'll be connecting to Youtube when users post videos?

        Those examples convey far more sensitive information than this anti-phishing technology. Yet we don't even bat an eye. In fact, we praise them for such useful extensions to their services. Should web browsers thus play by different rules and be required to notify the user of a non-existent violation of privacy before they do something useful?

        I'm not saying that some people don't feel slighted by this. I am saying that the web is evolving in ways that have already made this the norm rather than the exception. If you do feel slighted and wish to be excepted, you're probably going to have to get used to reconfiguring your browser in the same way you install adblock or flashblock.

        • Re: (Score:2, Interesting)

          by RaceProUK (1137575)
          Don't all Google ad-blocks have 'ads by Google' on them? And I do believe all YouTube videos viewed off-site have the YouTube watermark. Plus, Google Maps mashups tend to have 'Google Maps' in the bottom right corner.
          • by AKAImBatman (238306) * <akaimbatmanNO@SPAMgmail.com> on Tuesday November 25, 2008 @03:20PM (#25889833) Homepage Journal

            Don't all Google ad-blocks have 'ads by Google' on them?

            Which would be after you give your information to them. Most other ad agencies don't even go as far as that!

            And I do believe all YouTube videos viewed off-site have the YouTube watermark. Plus, Google Maps mashups tend to have 'Google Maps' in the bottom right corner.

            Same thing. You've already connected to their servers and given up your info. Just because there are logos to promote brand recognition there, doesn't mean that you consented to give up your info to a third party or received disclosure that it was going to happen. Google Maps even goes so far as to give you a Terms of Use link *after* you've engaged their services! *gasp!*

            I guess the question for you is: Would you feel better if the antiphishing technology had a "powered by Google" logo on it when it found a dangerous site? If so, I'm sure that's something that Apple would be willing to add. It won't do anything to better protect your privacy, though. It will merely give you a warm and fuzzy feeling.

            • Re: (Score:3, Insightful)

              by Rayeth (1335201)
              Even learning after the fact is better than not being told that the transaction is taking place at all.
              • by AKAImBatman (238306) * <akaimbatmanNO@SPAMgmail.com> on Tuesday November 25, 2008 @03:42PM (#25890133) Homepage Journal

                Glad you feel that way. I'll get a few post-event disclosures out of the way then:

                1. Your IP address, browser, operating system, installed plugins, and physical location were logged by Google Analytics as soon as you hit Slashdot.

                2. If you don't have adblock installed, your browser contacted doubleclick.net when you visited Slashdot and uploaded the unique id assigned to your browser. If you did not have a unique id, one was assigned to you. Additional information such as the site you are visiting, your browser, your plugins, your geographic location, and other information may have been collected during this transaction.

                Hope that helps!

                • Re: (Score:3, Insightful)

                  by dwpro (520418)

                  Unless, of course, you have noscript.

                  • by Ihmhi (1206036)

                    I often freeze up on pages waiting for google analytics to load. How could one stop the data from being sent to them?

                    • Re: (Score:2, Insightful)

                      by nneonneo (911150)

                      Firefox+NoScript. Then mark Google Analytics as untrusted to avoid it from telling you it blocked GA. Same thing works for DoubleClick and other advertising/tracking sites.
                       
                      Alternatively, you could add an /etc/hosts file to redirect GA somewhere harmless.

                    • by Ghubi (1102775)
                      Add '127.0.0.1 www.google-analytics.com' to your hosts file. http://someonewhocares.org/hosts/ [someonewhocares.org]
                • 1. Your IP address, browser, operating system, installed plugins, and physical location were logged by Google Analytics as soon as you hit Slashdot.

                  1. No, they weren't. Analytics is blocked by my ABP filters.
                  2. No, they weren't. Analytics is blocked by NoScript.
                  3. No, they weren't. Analytics is blocked by my hosts file.
                  4. No, they weren't. Analytics is blocked by my LAN's DNS.

                  2. If you don't have adblock installed, your browser contacted doubleclick.net when you visited Slashdot and uploaded the unique id assigned to your browser. If you did not have a unique id, one was assigned to you. Additional information such as the site you are visiting, your browser, your plugins, your geographic location, and other information may have been collected during this transaction.

                  1. My browser doesn't send referrer headers.
                  2. I don't accept cookies unless I have to (read required for work or finances.) If I do, they're deleted when I close the browser.
                  3. Doubleclick.net is blocked in my hosts file.
                  4. Doubleclick.net is blocked via my LAN's DNS server.
                  5. My browser doesn't send
        • by FooGoo (98336)
          Will I agree with you that this is a pointless argument I would say the difference between this and the examples you list is that it's an application on my desktop which is sharing the information. Not two website which have no relation to my computer or the information stored therein.

          It still think people will complain just because they need something to complain about to get noticed an feel important. They will scream slippery slope and wave there arms never realizing that there is no slope....it's a mi

          • Re: (Score:3, Informative)

            by Lars T. (470328)

            Will I agree with you that this is a pointless argument I would say the difference between this and the examples you list is that it's an application on my desktop which is sharing the information. Not two website which have no relation to my computer or the information stored therein.

            It still think people will complain just because they need something to complain about to get noticed an feel important. They will scream slippery slope and wave there arms never realizing that there is no slope....it's a minefield and we are all wearing rollerskates.

            I have the feeling you don't know how a browser works - it's not Slashdot that is sending the data, it's your browser. And if you are so paranoid about your privacy, you shouldn't be using any browser.

        • I'm going to play devil's advocate for a moment and point out that such disclosure is getting harder and harder to comply with.

          "Attention: By default, Safari now downloads a database from Google and connects back to Google to verify whether sites you visit in your browser are rated as malicious by Google. If you would like to opt out of this feature, uncheck this box: [x] Use Google's malicious site checking service."

          Just banged out a draft version for ya. Took me all of about 1 minute, and I don't e

          • by node 3 (115640)

            The problem isn't complexity or difficulty.

            No, the problem is complexity. Presenting a user with a prompt like this places the burden on them and requires them to make a choice that most people really don't care about.

            Additionally, to make it accurate enough to explain what it's actually doing will confuse most people, and making it so prominent might scare off people who will decline it for the wrong reasons.

            Apple has chosen a sane default, and those in-the-know can turn it off. This isn't tinfoil hat level of privacy, but it is average joe level o

      • Re: (Score:2, Informative)

        The problem is the lack of disclosure. That may be, but the truth is that 99.99% of users in general wouldn't have a clue what to do with that information.
      • by Lars T. (470328) <Lars DOT Traeger AT googlemail DOT com> on Tuesday November 25, 2008 @04:28PM (#25890833) Journal

        The problem is the lack of disclosure.

        Firefox has disclosed jack shit to me. So where's your problem with that?

        • by Petersko (564140)
          "Firefox has disclosed jack shit to me. So where's your problem with that?"

          I'd have the same problem with them. Of course, I use neither Safari nor Firefox.
          • Of course, I use neither Safari nor Firefox.

            And yet you post about how Apple are bad for doing this, how Apple's "minions" have unswerving loyalty, blah blah blah.

            You're not even affected.

            Ah! I see - you're trolling here. Foolish of me not to have spotted that earlier.

        • If you're using Windows or Mac - this was included in the license that you agreed to when you installed Firefox.

          If you're using Linux - this is a bug that has been fixed in source control. The new Firefox LicenseBar(tm), as seen in Ubuntu, will be appearing in all distros and platforms soon.

          • Re: (Score:3, Insightful)

            by Lars T. (470328)
            So when Mozilla puts something in the license, they are disclosing it, and when Apple puts it in the EULA, they are hiding it. Thanks for clearing that up.
    • I had a look through my settings, in 2.0 IRCC there was an option to download the list instead of checking as you browse, as i cant find the option anymore I'm quite disappointed that Mozilla have effectively compromised my privacy OR left me undefended.

      • Re: (Score:3, Informative)

        by asa (33102)

        You've got it backwards. There is no longer an option to check as you browse and the check against the local list has always been the default.

      • I don't recall that option. Anyway, isn't it just a list of hashchecks? No personal info?
        • It was defiantly in [ Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17 ] either check against a downloaded list or ask google about each one.

          Submitting the hash of every site you visit makes it very easy for google to see if you have or haven't visited a site. all the hashing stops is google having a list of sites youve been to, but a rainbow table means they can instantly see everybody that has been to www.slashdot.org. It depends if it is now done by list or by

  • Haven't upgraded... (Score:1, Interesting)

    by davidangel (1337281)
    Every time apple upgrades Safari, they disable my brilliant adblocker, Pithhelmet, and so I wait for the developer to hack it out again... Maybe I won't upgrade. Maybe my next mac will be running on mixed pc hardware. I'm strongly considering that...
    • Every time apple upgrades Safari, they disable my brilliant adblocker, Pithhelmet, and so I wait for the developer to hack it out again... Maybe I won't upgrade. Maybe my next mac will be running on mixed pc hardware. I'm strongly considering that...

      Just install Firefox with adBlocker.

    • Re: (Score:2, Informative)

      by supadjg (842662)
      Have you tried SafariBlock? http://fsbsoftware.com/index.html [fsbsoftware.com] Works pretty well for me.
    • by stokessd (89903)

      I bailed on pith-helmet right after 10.5 due to it always being behind the times. (I even paid for it). I would get a pith-helmet update just in time for a new safari release which would break it.

      SafariBlock is the way to go IMHO.

      Sheldon

    • by theurge14 (820596)

      Try SafariBlock [google.com] instead.

    • by King_TJ (85913)

      Did it ever occur to you that the authors of PithHelmet might be to blame, and not Apple?

      What's Apple supposed to do here? Make sure they don't modify their OWN software in any way, shape or form that causes PithHelmet to break? If it does, wait on their release until the PithHelmet guys say it's ok to proceed?

      (I'm just saying ... if you're making threats about your next Mac being some kind of hacked "Franken-Mac" over this? That's more than just a little extreme.)

    • by qengho (54305)

      Every time apple upgrades Safari, they disable my brilliant adblocker, Pithhelmet

      Input Managers Are Evil [wincent.com]. Try a proxy like Privoxy [privoxy.org] or GlimmerBlock [glimmerblock.org] instead.

  • Data protection act? (Score:2, Informative)

    by TheRaven64 (641858)
    I know Apple is based in the USA, with notoriously weak data protection laws, but over on this side of the pond distributing personally-identifiable information to a third party without explicit consent is a criminal offence. I wonder how close to the line this comes, or if it actually crosses it. I wasn't asked to agree to a new version of the EULA when I installed Safari 3.2 (I did it through the terminal, so maybe you are when you use the graphical update client?) and so I haven't even given implicit p
    • by negRo_slim (636783) <mils_oRgen@hotmail.com> on Tuesday November 25, 2008 @02:56PM (#25889507)

      but over on this side of the pond distributing personally-identifiable information to a third party without explicit consent is a criminal offence.

      Sorry I'm less than enthusiastic at your privacy laws considering there's a camera on every corner in your country, watching the citizenry.

      • by mikael_j (106439)

        That's just the UK though, the rest of us aren't quite so quick to use Orwell's books as a "how-to" guide...

        /Mikael

      • there's a camera on every corner in your country

        No there isn't.

        In the UK there might be, but we don't know that your parent poster is from the UK.

        I'm from Denmark, some other country on the same side of the pond as the UK, and we don't have any cameras filming the streets.

        I haven't read our data protection laws as closely as our copyright laws, but my general recollection is that we don't exactly let everyone talk about who we are. I was recently looking at switching to a free* phone company (*first 50 minutes and 50 SMSes every month, more than enough

      • by janrinok (846318)

        Well I have two comments to make to that...

        I have walked around my local town and I have only seen 4 cameras. They are not as prolific as you seem to think that they are. Perhaps there are areas of major cities where they are on almost every street corner, but not where I live.

        Secondly, do you imagine that these cameras are sending personally identifiable information to third parties? I don't. The cameras are used by the police for crime detection, prevention and/or deterrence. I support their use beca

      • by felipekk (1007591)

        At least there it is admitted that there are cameras...

      • Stop with the FUD if you could. Private cameras are not government cameras. Or isn't your every single move watched when you enter a store? I guess you could preserve your noble privacy by not shopping, only buying things online -- hang on, no, you're tracked there as well, by the web store and your bank. Hey, what about your right to privacy in the Constitution? Oh hang on, haven't got that either...

        Don't divert the topic, especially if you haven't got a leg to stand on.
    • I know Apple is based in the USA, with notoriously weak data protection laws, but over on this side of the pond distributing personally-identifiable information to a third party without explicit consent is a criminal offence.

      As I understand it, it sends a hash, not personally identifiable information.

    • by profplump (309017)

      I agree that this is a bad idea, but the information A) is not personally identifiable -- the specificity is at best an IP address and B) isn't being provided to Apple, and therefore Apple isn't providing it to anyone.

      If you wanted to argue with B) I think you'd have to make MS liable for every virus that uses the built-in TCP/IP and vCard libraries to query your address book and send off your personal information -- after all, the virus was using both libraries as designed and provided by MS.

    • Re: (Score:3, Informative)

      by ChrisA90278 (905188)

      The key is "personally-identifiable". What Apple is sending is not. They are sending a hash of a page. All they are doing is taking something you just downloaded, scrambling it up and sending it back to the web.

      If you are truly worried about people finding out what sites you are browsing then you need to worry a LOT about DNS servers. DNS server know your IP address and the name of every site you click. How would you know if the DNS server is logging your queries?

      • by shmlco (594907)

        "If you are truly worried about people finding out what sites you are browsing then you need to worry a LOT about DNS servers."

        Or your ISP, for that matter. Every request you make passes through them.

      • They are also sending this to Google, which crawls the entire Internet. If Apple is indeed sending a hash of every page I view, is it inconceivable that Google could build a hash of every page I might ever view?

  • So... (Score:1, Offtopic)

    by owlnation (858981)
    Even as a Mac fanboy I could care less. I want to use Safari, especially since Firefox is not the best on a Mac. However, no flashblock, no adblock -- no use. I'm reluctantly sticking with Firefox.

    Antiphishing technology is of little to no value to me, flashblock and adblock are essential on the web. Steve, call me when Safari is web ready, without these tools it simply is not.
    • Re: (Score:3, Informative)

      by ttlgDaveh (798546)

      First off, because it drives me nuts, it is "couldn't care less". (Cue picking on grammar errors in this post. Maybe I'll drop a couple in intentionally!)

      Secondly there is adblock (and flashblock) for Safari in the form or SafariBlock [google.com], or if you don't care for Input Managers there's always things like GlimmerBlocker [glimmerblocker.org] which is a local HTTP Proxy which will block ads (and flash and do other fancy things) across the whole system and not just one browser.

  • by hellfire (86129) <deviladv@@@gmail...com> on Tuesday November 25, 2008 @02:45PM (#25889341) Homepage

    Remember, the people who designed the Internet (incorrectly) assumed that all computers on the network would be trustworthy, so the rules are pretty loose.

    C'mon, Macworld is better than this. Okay, the article is critically reviewing the anti-phishing feature, but the writer seems to have a bone to pick and in order to post an emotionally charged article, takes things one step too far.

    The internet was intentionally designed, itself, not to have a centralized authorizing body for each and every PC and server on the planet. It's decentralized on purpose. When a so called journalist writes something like this, I have a problem, because to me it's just pandering to the security freaks. It's a bit off topic, but I also have a problem reading the rest of the article because it makes it hard to trust what the guy has to say. There's probably good facts in the article, and if there's a problem Apple should be criticized, but I can't possibly continue reading when I see something stupid like this.

    • by Cowmonaut (989226)

      I'm with you there. Even worse is when you read a few articles from various writers on a site and think that its a great website with people you can have an interesting debate with, and then you get a total turdfest of a gem that ruins it forever for you.

      For a whole week I was like that with Firedoglake, but then I made the mistake of reading the comments. *shudders* Freaking Digg users man...

  • Just use Firefox and be done with it, while all browsers have their faults (and features) Safari offers nothing unique (IMO) and Firefox most likely has a bigger team of coders behind it.

    I use Firefox on Ubuntu, XP, and OS X Leopard so I have continuity/usability across the board, and that is what sells me on open source.

    • Re: (Score:2, Informative)

      by bledri (1283728)

      Just use Firefox and be done with it...

      Um, you realize that Firefox uses the exact same anti-phishing technology, right? If you prefer Firefox, that's great but as far as this particular issue goes the difference is disclosure, not implementation. I like Firefox, but Safari is faster and less of a CPU and memory hog on OS X in my experience. And the integration is better - so I'll stick with Safari (although I skipped 3.2 because of all the crash complaints and I use FF for serious HTML/DOM/JavaScript hacking.)

      • by koan (80826)

        My experience is that "on a Mac" Safari is faster, sure isn't on Windows.
        My point was though...why bother with Safari? Nothing unique and in the most meaningful sense it's redundant. (and not very pretty)

        To me a matter of 1 or 2 seconds longer loading for Firefox is acceptable as it isn't native to OS X, however on Ubuntu it is much faster for em than either Windows or OS X.

    • by Lars T. (470328)

      Just use Firefox and be done with it, while all browsers have their faults (and features) Safari offers nothing unique (IMO) and Firefox most likely has a bigger team of coders behind it.

      And yet they use they use the exact same feature you are so pissed about it being in Safari.

  • by Animats (122034) on Tuesday November 25, 2008 @03:39PM (#25890087) Homepage

    Our AdRater plug-in has similar privacy issues. It's a plug-in that "phones home" to get information about the advertisers whose ads appear on a site. Here's what we tell users:

    AdRater "phones home", but tells us as little as possible. AdRater sends the domain name associated with each advertisement you see to SiteTruth. Thus, we can tell what advertisers have reached you, but cannot tell what web pages you have been viewing. We can't tell if you click on an ad. AdRater does not use "cookies" or any other user identifiable information other than your current IP address.

    If we change any of this, the changes will not take effect until you download and install a new version of AdRater.

    AdRater does not rate ads on secure pages, so no information about a secure page is ever sent to our servers.

    Now that wasn't hard, was it?

    For really technical users, we publish the API AdRater uses [sitetruth.com], so you can check to see that we're telling the truth about what data goes back and forth.

  • Safari crashes on me every time I try it.
  • It's simple. Just unplug your comp...

    NO CARRIER

  • I wonder why.

  • by $criptah (467422) on Tuesday November 25, 2008 @05:41PM (#25891955) Homepage

    I fail to see how this is a big deal. Did you read the article? If so, you would not panic as well.

    First of all, everything is transported in hashes. You do not compare the actual URLs that customers visit, only the hashes. Google has no actual links that indicate the banks that you use and the pr0n sites you have browsed. Only hashes.

    Also, this is a configurable option. Apple does not force you to use Google. Apple does not force you to use this feature. I think it would be easier if Apple has explained this feature in the release notes to a greater extent and if users had to accept some sort of a license agreement when enabling this feature. Nothing else beyond it.

  • by Anonymous Coward

    In a stock installation of Firefox 2.0 and higher, Ctrl-K. Type a letter, any letter, *without* hitting Enter. You have now sent information to Google and any would-be MITM, all so that Google could recommend "amazon" for "a," all sent in glorious clear plaintext.

    Now imagine that you had sensitive text information in your clipboard and it found its way into the search box purely by accident. Oh, to be the man in the middle of that.

    Just because it's the search box instead of the *hash* of a URL to which y

    • by Epsillon (608775)

      Indeed. I'm surprised more people don't just use this [mozdev.org] instead. Oh, and about:config is your friend if you're concerned about privacy at all. Fx isn't privacy-safe by default. It leaks all manner of personal information. Open source, it seems, no longer means the developers have your best interests at heart. My first thought when reading the synopsis was "Fx does this by default and removal of the associated Google URLs is non-trivial." so I can see exactly what you're saying about Moz vs Apple.

      As fo

  • by adavies42 (746183) on Wednesday November 26, 2008 @02:57AM (#25896629)

    to repeat what i said on the macworld article's comment board,

    sudo dscl localhost -create /Local/Default/Hosts/safebrowsing.clients.google.com IPAddress 127.0.0.1

    (or do the obvious with /etc/hosts if you're still running tiger (not that i know if safari 3.2 is available for tiger....))

  • And it comes in a new kind of package file (well, new to me), in "xar!" format. XAR is a new archive format, with an annoying command line.

    To see what's in the package if you want to see what Apple's doing before you let them do it:

    $ mkdir xartmp
    $ cd xartmp
    $ xar -x -f ~/Downloads/Safari3.2.1Leo.pkg
    $ file *
    Bom: Mac OS X bill of materials (BOM) file
    PackageInfo: XML 1.0 document text
    Payload: gzip compressed data, from Unix
    Scripts: gzip compressed data, from Unix

    In other words, the usual .pkg file, ju

There are running jobs. Why don't you go chase them?

Working...