This week, Opera released a new beta of version 9.5 of its Mac browser. Now this isn’t necessarily a significant event, because Opera regularly releases updates for its products. However, like most other browsers — with one notable exception — Opera offers phishing protection.
What this means is that, in the event you click, say, on a bogus link in a letter or on a site taking you to a page that’s designed to steal your personal information and pilfer your personal finances, you’ll be appropriately warned.
Opera’s “Stay Safe” feature is mirrored to a large extent in recent versions of Firefox and even Microsoft’s Internet Explorer. Of course, there’s nothing to stop you from ploughing on and accessing the bogus site anyway, but you’ll at least be appropriately warned.
More recently, PayPal has said that, in light of the growing phishing problem, they were going to abandon support for older browsers. That sparked speculation that Safari might be included on the list, since it offers no phishing protection whatever. However, PayPal later clarified their statement, indicating that Safari would, in fact, remain supported.
So is Apple missing the boat here on a critical security protection technique? You see, phishing doesn’t know platform differences, and the Mac user can succumb to this form of criminal activity as easily as the Windows user simply by falling for a fake message purporting to be, say, from your bank. So why isn’t Apple doing more?
Certainly, I think Apple takes security mighty seriously. They issue periodic updates for recent versions of the Mac OS. A recent QuickTime upgrade, for example, according to security researcher Rich Mogull [1], added a number of critical changes to the code that will make the hundreds of millions of users on the Mac and Windows platform safer from exploitation.
According to Mogull, Mac OS X Leopard also has a number of enhancements that actually come close, but don’t exceed, those Microsoft incorporated in Windows Vista. Now understand, that doesn’t mean Vista isn’t a hodgepodge of bloated junk, but it does mean that Microsoft was forced to seriously consider ways to improve Windows security, after businesses lost billions of dollars over the years coping with the malware mess that afflicted the platform.
For now, except for one or two minor outbreaks and proofs-of-concept, the Mac OS X platform has remained relatively safe. This doesn’t mean that you shouldn’t install Apple’s security updates when they arrive. You never can tell when a security lapse will somehow be exploited. No operating system is perfect.
And, no, I don’t subscribe to the security by obscurity thesis that has it that Macs won’t be seriously vulnerable until the market share reaches some unknown threshold. I just think that Internet criminals still manage to make most of their ill-gotten gains on Windows and that’s not going to change in the foreseeable future.
At the same time, I think Apple, in addition to its questionable ethics about offering Safari installations for Windows users with a checkbox preselected, ought to consider such basics as phishing protection.
Now I have to tell you there are other ways to protect yourself, and it doesn’t necessarily require buying someone’s security software. You can, for example, make a one minute change in your Mac’s DNS settings, in the Network preference panel, to use OpenDNS [2] rather than the DNS servers from your ISP. Thanks to the brilliant mind of developer David Ulevitch, who also created Phish Tank, a well-known repository of information about bogus sites, OpenDNS will use that technology to block access to those dangerous locations.
OpenDNS also offers a huge, highly efficient DNS cache, which means that you’ll be able to access your favorite sites slightly faster. As part of the free sign-up process, you can also configure methods to block other forms of unsavory content, such as porn sites.
Their technology is already being embraced by lots of businesses, including such disparate firms as The UPS Store and Sunsweet. A number of libraries are also reconfiguring their computers to use OpenDNS, and some ISPs are also taking this step.
Even better, it’s all free. OpenDNS pays its bills by selling pay-per-click ads for its customized landing sites, which you’ll see if you happen to connect to an inactive site by error.
In fact, I wonder if Apple couldn’t find some way to work with OpenDNS, maybe as part of the standard setup of a new Mac, so nobody would be forced to do the settings manually — although they are quite trivial actually.
For now, my own protection routine, other than OpenDNS, is the NAT security of my AirPort Extreme base stations and Leopard’s own fairly basic firewall feature. No, I haven’t installed any virus protection software, but that doesn’t mean I won’t change my mind should the need arise.