Safari: Using encryption and secure connections
Summary
Safari is compatible with secure websites, such as those that use 128-bit encryption. Learn how to recognize a secure connection, and how to avoid a fake.
Websites that deal in personal or financial information typically offer secure connections. With a secure connection, your data is encrypted so that it cannot be easily read by anyone who might intercept it between your computer and the website. Safari works with websites that use 128-bit "strong" encryption.
Important
: You should not enter any sensitive information on a form if you are not sure it is secure. If a legitimate organization requests sensitive information on an insecure form, you should consider contacting them via telephone instead.
Products Affected
Safari, Certificate Authority (CA)
When to use a secure connection
Often the decision to use a secure connection is made for you, for example when you are creating a new account on a commercial website. Since this normally includes personal address and financial information, you should see a connection change to secure when creating an account (how to recognize a secure connection is described below). Generally speaking, sites should automatically switch to a secure connection when requesting or displaying sensitive information.
At other times, websites leave this decision up to you, most often by offering standard and secure login options. You should always choose secure login when it is available. Examples of popular sites that offer both secure and standard login are Yahoo!, eBay, and Amazon. Sites that deal heavily in sensitive information tend to offer only secure login. The standard login option is available for older browsers that cannot make 128-bit secure connections.
Tip: When logging into a website, watch for choices such as Standard and SSL. Standard refers to an unsecure login. SSL refers to a secure login (Secure Sockets Layer, the Web encryption protocol).
Why secure login?
Choosing secure login prevents someone from easily intercepting your name and password. For that reason, secure login is a good idea even when your account at the website does not contain sensitive information. With your login information, someone could use your identity on that site, or at another site where you used the same login. It's a good practice to use at least two different passwords for the websites you visit: one for secure sites and another for unsecured sites. If you use the same password on all sites, it could be intercepted at an unsecured site, then used maliciously at a secure site.
Tip: For help choosing a secure password, see "Mac OS X: How to Choose a Secure Password".
Recognizing a secure connection
One way to typically recognize a secure connection is that a lock icon appears at the top right corner of the Safari window.
Another way to typically recognize a secure connection: The address for the website begins with "https" instead of "http":
Usually, if these three conditions are met, the page can be considered secure:
- The lock icon appears in the top right corner of the Safari window
- The page's URL begins with "https"
- You trust the organization that created the website (if you do not know or trust them, consider submitting information to them via phone instead).
You may see unsecured pages after a secure login (no lock icon or "https", that is). This does not indicate a security risk. Typically, only the pages that display or request sensitive information are secured. A page where you view a product's information does not need to be secure. Whenever you come back to a page that displays or requests sensitive information, the lock icon should reappear.
Note: Not all content that appears on a "secure" web page may have come from secure, encrypted sources, but the main page should be from an encrypted source.
Tip: Sometimes a secure login form at a trusted site does not appear to be secure at first. You might see a button that says "Sign into our secure server" on a page that is not secure. A secure connection might appear after you click the button. If you are not sure how a site works, a simple test is to enter "guest" as your user name and password. Look to see if the connection changes to secure after you click the submit button.
What does "secure" mean?
"Secure" means two things. First, it means your data is encrypted during transit so that third parties cannot easily read it. This may be used to protect login information or any other sensitive information.
Second, it means that the publishers of the website are who they claim to be, as based on a third-party certification system. Safari performs this "authentication" by checking the site's security certificate, which must be granted (or "signed") by a trusted third party, known as a certificate authority (CA). The lock icon appears only when trust is established. If the certificate is not trusted, you see a message warning that the website's identity could not be verified.
If you choose to continue on an unverified site, you are trusting the site for one session only. If you quit and reopen Safari, the warning would appear again.
Advanced tip: If you want to see which authority signed the certificate for a site in Mac OS X 10.4 or later, click the lock icon at the top right corner of the Safari window. In Mac OS X 10.3.9 or earlier, you can do this using the curl command in Terminal with the -v (verbose) option. To check the certificate for the Apple Store, for example, you would execute the command this way:
# curl https://store.apple.com -v
Avoiding fake "secure" sites
To protect your information, learning how to recognize a secure connection is not enough--you also need to avoid the fakes. Identity thieves hope to collect names, passwords, and other information by tricking people into thinking they are on a trusted site. Fortunately, you can avoid most of these tricks by following two simple rules:
Rule 1: Do not trust any "secure" indicators other than those shown above.
The reason for this rule is that some sites put fake lock icons or other assurances of security within the page's text. Any assurance within the page itself is meaningless. The connection is not secure unless the lock icon appears and the address begins with "https".
Rule 2: After clicking a link that was included in an email, do not log in or provide any information.
Rather, open a new browser window and type the website's address yourself, being sure not to use an auto-completed address. Alternatively, you could use a bookmark. Log in as you normally would, and check your account for any updates.
This rule protects you from a variety of schemes in which an email is disguised to come from a trusted website with a request that you log in to update your account information. These emails can lead you to convincing counterfeit websites that hope to collect your information for malicious purposes. Sometimes only an experienced Internet user or webmaster can distinguish these from legitimate emails, so it is important to follow this rule any time that you have doubts about a message's origin.
Regardless of how the deceptive email works, its goal is always to disguise the actual address of the fake site, making it appear to be the address of the true site. Here are three common tricks you may see:
- Deliberately confusing address
You may see an address with a form similar to this:
http://cgi.apple.com.jl4.509.5a0@169.09.19.35/account/verify=
This play on URL syntax may confuse you into thinking that it goes to apple.com. In reality, this address points to the server at the IP address 169.09.19.35. Everything preceding the at symbol (@) is a user account name for that server. - Image of a link
Sometimes, you may see what appears to be a text link that's really an image file (a screenshot taken of text). The image file links to the fake site. You can identify an image by trying to copy the text. If you can't select and copy the text in an email, it may not be text.
- Hidden links
You may see an address that looks perfectly normal, such as: (https://store.apple.com/)
Using HTML or a script embedded in the email, however, the sender can cause the link to go somewhere else. You can only determine the true destination by viewing the source code of the email, which is usually HTML or rich text (RTF). This trick plays on common assumptions we have about email. Most email applications have a feature that automatically displays a web address as a live link when typed, without the HTML formatting that would otherwise be required to get this effect. Because of this, we are trained not to distinguish between a plain text link, which is made live by virtue of a feature, and a true HTML link, which specifies its destination in source code. Simply put, this means that a web address link does not necessarily go where it appears to go. A sender can mislead you by putting a different destination in the source code. You should suspect this when the address that appears in the Safari browser window is not the one that appears in the email.
Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.