The following information is based on OS X 10.10 Yosemite. If you are running an earlier version of OS the information might still useful but you may have to look in different system preferences.
My friends and family often ask me what they can do to make their Mac more secure. They are often concerned about viruses or people spying on their computer while they are online. No computer can be considered "secure" once it's connected to a network, but a few things you can do now to make using your web surfing safer in the Safari web browser.
This is one security setting that is often overlooked. I think Apple should move this under the security settings tabs. For convenience, Apple defaulted Safari to automatically open certain content -- movies, photos, PDF file, etc. -- automatically upon download. Given that many users get tricked into downloading files that contain malicious software1, having this setting enabled can be dangerous. Imagine clicking a link and unknown to you the link is actually a malicious PDF file that has a key logger2? Having Safari automatically open the listed types of files is a not a good idea. Turn this off!
Launch Safari and find click on Preferences from the menu. Click on the Security tab. We have a few options here but they are both easy to understand and use. I have them all enabled on my iMac and MacBook.
Fraudulent sites: This is a Google service that protects you from scams and phishing by identifying fake websites and displaying a warning message before the website is displayed. You then have the choice of navigating away from the site or proceeding to it anyway. You definitely want to keep this one on. Most personal computers, if configured correctly, have decent protections against hackers. However, most users fall victim to phishing attacks and click on a link to fake websites. The websites look like the real thing and attempt to trick you into entering your user id and password or into installing software that will steal your passwords. This Safari setting will help protect you from those sorts of attacks.
One thing I recommend strongly is whitelisting which websites you allow to use your browser plugins. I wish the web would move away from browser plugins such as Adobe Flash, Java, etc. but it seems it will be a long time before this deprecated web technology disappears. If you must run Adobe Flash or other browser plugins I recommend choosing the "Ask" setting for all of them and/or defaulting to block. When you visit the website, Safari will display a placeholder instead of the plug-in content. You can then click the placeholder to allow the website to use the plug-in.
I also restrict (white list)3 which websites have access to the plugins. This helps you reduce the chances that a malicious website could use vulnerabilities in those plugins against you. You should make sure to keep your plugins up to date and update them only from the Adobe and Microsoft etc. There are a lot of websites with fake versions of these plugins. The fake versions contain computer viruses and Trojans and key loggers etc.
All the settings below are about limiting the amount of information your browser shares with a web site you visit. Many websites and services think they have a right to track you and find out as much about you as they can. I suspect that were it not for certain laws some of these companies would send someone to install cameras in your home and tap your phone calls.
Most websites can use information about your location (based on data from nearby Wi-Fi networks or looking up a database of ISP network addresses) to provide services and features. This setting lets you specify how often Safari must ask you if a website can use your location information. If you don’t want to be asked, select “Deny without prompting.” I have mine set to once a day.
For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that -- either now or in the uncertain future -- patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.Bruce Schneier
I don't mind Lands End knowing how I use their web site if it helps them provide better service to me. However, I don't see how letting one company with whom I do very little business track my every move across the web. You want to block these as much as possible. You can set Safari to accept cookies and data only from websites you explicitly visit. Safari uses your existing cookies to decide whether you have visited a website before and prevents blocks third-party advertising networks from storing cookies and data on your Mac.
If at any point, you get a bit paranoid you can remove some or all the cookies and website data stored on your Mac or review which websites store cookies and other information.
Some websites keep track of your browsing activities when they serve you content, which enables them to tailor what they present to you. You can have Safari ask sites and their third-party content providers (including advertisers) not to track you. The latest proposed draft of the Do Not Track specification requires that users must choose to turn on the anti-behavioral tracking feature in their browsers and software. Apple is adhering to the specification. Google ignores "Do Not Track" setting entirely. Most web sites do the same. This setting may not do anything useful today or in the future. Leave it enabled anyway.
The web can be a safe place. Learn to practice safe browsing habits and with the tips outlined here, your browsing will be more private and safer. If you really want to dig into the details of Safari security check out the Center for Internet Security Benchmark.
- Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. ↩
- The action of recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. See wikipedia entry. ↩
- An emerging approach in combating viruses and malware is to whitelist software which is considered safe to run, blocking all others. See wikipedia entry. ↩