Safari 3.1 released. No EV SSL Support.
Apple released Safari 3.1 on Tuesday. Along with new features are 13 security updates for the Safari browser, but without a trace of support for EV SSL Certificates. PayPal's Chief Information Security Officer, Michael Barrett, recently made a statement about Safari's lack of security:
Apple, unfortunately, is lagging behind what they need to do, to protect their customers. Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera.
He also specifically mentioned Safari's lack of EV SSL support as reason that it is less secure. The new update does include better certificate validation. VeriSign's Tim Callan is clearly disappointed:
Until now I was giving Apple the benefit of the doubt. There hadn't been a major Safari release since EV went live, and I figured maybe they just needed time to get their code out the door, like Firefox, which just added EV support, or Opera, where support is pending. But no. Turns out Apple has not prioritized security in its browser releases. Turns out that Apple doesn't consider over 25,000 new phishing attacks identified each month as a security threat worth protecting its users from. Maybe only geeky PC guys (as portrayed by comedic polymath John Hodgman) worry about identity theft and account takeover. Maybe Mac guys are too cool to think about these things.
Or maybe they care, too.
Safari 3.1 update fixes 13 security flaws - [CNET News]
Originally posted on Sat Mar 22, 2008