Securing the Web Client
The browser that Apple provides with Mac OS X 10.4, Safari 2.0, provides a number of security features that make it relatively simple to set up a safe browsing environment for you and your users. One of the main concerns is a site that executes malicious code upon loading the webpage or that tricks the
into activating the code. A common example is a site that pops up additional windows, often masquerading as
alert boxes or
, deceiving the user into clicking them, and then executing more malicious code. Even though most malicious software, or "malware," out there is written targeting
site that requires themand then
them back off again.
Setting Security Preferences
Most of the Security options are available by opening Safari preferences and selecting the Security tab.
The Security tab offers these options:
Browser plug-ins are programs that extend the capability of your browser. The QuickTime and Flash plug-ins are perfect examplesthey let you play QuickTime and Flash content, such as movies or sounds, that are embedded in the webpage. To see the plug-ins that Safari has installed, go to Safari's Help menu and select Installed Plug-ins.
Java is a software platform and programming language that allows highly portable programs to be run in many different environments, including browsers. Because there are malicious programmers out there, there is a way to turn off Java.
, validate forms before submitting them, track user history, and provide interactive effects.
uses for pop-up windows. This feature is also accessible through the Safari application menu.
Cookies are files that
store on your computer to save user information such as shopping preferences and shopping carts, and to gather accurate statistics on their visitorstotal number of new versus repeat
, for example. But the information that cookies gather can be sold for marketing, and some infrastructure providers gather information about you across multiple sites. Safari lets you decide how to handle cookies and to view the individual cookies.
If you select the "Ask before sending a non-secure form to a secure website" checkbox, Safari will ask for approval before sending unencrypted form information to a secure site.
When you enter a secure website (HTTPS), the data transferred between the client and the server is encrypted with the Secure Sockets Layer (SSL) protocol. Aside from the URL beginning with "
," your secure connection is signified by a padlock icon in the upper-right corner of the browser window. The SSL encryption algorithm is generated in conjunction with a digital certificate, which also helps establish the website as
. By clicking that padlock, you can view the credentials of the certificate and evaluate its authenticity.
Selecting the "Enable
controls" checkbox does two things: It restricts the ability of the current account to modify the "New windows
with" and "Home page" settings under Safari's general preferences, and it requires an administrator to add each allowed website. You do this by navigating to a site, clicking the Add Website button, and providing an administrator
and password. The site is added to the browser's Bookmarks bar.
The website restriction becomes active as soon as you select "Enable parental control," but the "New windows open with" and "Home page" restrictions do notyou must quit and restart Safari for that change to be in effect.
"Enable parental control" is also available through System Preferences > Accounts > Parental Controls.
All of the websites that were in the Bookmarks bar before you turned on parental control will be allowed sites. If you have a long list of sites you want to add, add them to the Bookmarks bar before you turn on parental controls.
"Enable parental control" will be grayed out if you are logged in as an administrator. You must be logged in as the user being "controlled."
Using Safari on a Public Access Mac
If the computers you maintain are set up securely, there should be little need for this feature, but what if you are using a public access computer, or a computer with a questionable security configuration? In the Safari application menu, there are three
(in addition to Block Pop-Up Windows) to make sure you don't leave sensitive information from your browsing session behind.
If you select Private Browsing, the sites you've visited are not being added to the history, the Downloads window is cleared when you quit Safari, no informationincluding
and passwordsis saved in AutoFill, and searches are not added to the Google search box. While browsing, you can still use the Back and Forward
to navigate sites, but when you close the window, that information is gone.
Do not confuse Private Browsing with Anonymous Browsing, which is
with your browsing being
from outside the computer. Internet service providers (ISPs) can monitor your browsing, including what file types you are downloading, and commercial sites collect information such as your Internet Protocol (IP), what Web browser you are using, and who your ISP is. Consequently, there are Anonymous Browsing services that offer various degrees of "anonymization." These vary from simple proxy servers that retrieve webpages for you, without your information being sent to the remote site, to services that also encrypt your browsing transaction from end to end.
Reset Safari erases your browsing history, empties the cache, clears the Downloads window and Google search entries, and
cookies and AutoFill text.
Empty Cache deletes webpage contents that were stored locally. The reason for caching files in the first place is to speed the browsing of sites that you have already visited, as those files can now be accessed from your hard drive rather that waiting for them to download every time you visit the pageespecially sites you visit frequently, like your home page. It is a good idea to empty the cache on public computers when you are done using them, as the cache files may contain personal or sensitive information such as passwords or credit card
the same function as Reset Safari, but you turn it on when you start your browsing (as opposed to resetting Safari and emptying the cache when you finish browsing).
Using a Proxy Server
You can go one step further to control the content that
your client computers, and that is to filter them through a
. Originally, proxy servers were utilized to speed Web accessit was much faster to grab cached content from your local server than to reload it over a slow Internet connection. Yet with current access speeds, it is usually not worth the effort of maintaining the service. However, proxy servers do allow you to easily block access to specific sites, and
import free or commercial blacklist files. This is less restrictiveand less precisethan Safari's built-in "allowed sites" mechanism. It has an advantage in that it
wellyou can have a great number of
using the server as a proxy.
Setting up a proxy server will be covered later in this lesson. To configure Safari as a
From Safari's application menu, select Preferences and click the Advanced tab.
Click the Proxies: Change Settings button.
This will open System Preferences > Network.
Open System Preferences > Built-in Ethernet and click the Proxies tab.
You must configure proxy settings for each network interface that has Internet access. Potentially this includes Ethernet, AirPort, Modem, Bluetooth, Built-in FireWire, and VPN.
Select the proxy server you want to configurein this case, Web Proxy (HTTP).
Enter the address or DNS name of your Web proxy server.
Enter a user name and password for the proxy server, if necessary.
Click the Apply Now button.
From this point on, all of your client's Web traffic will be funneled through the proxy server, including its site-blocking filter.
Websites present many security risks. Without protection, anyone can read private information that you post on a website as long as they have the URL to the site. Also, when users send private information, such as a credit card number, to the server through a form,
with a packet sniffer can read the information because it is sent in clear text.
Included with the standard installation of Apache on Mac OS X Server is mod_ssl, an open source,
-distributed add-on module to Apache. This module lets Apache use OpenSSL, enabling
-protected connections to Web servers via the SSL and Transport Layer Security.
Enabling SSL for Apache allows encrypted access to your Web services. SSL lets Web applications access your server in a secure way, hides passwords passed to your server in Web-based forms from packet sniffers, and encrypts data transmitted to a browser.
The mod_ssl package is not merely another module in Apache: It goes to the
of Apache by implementing its Extended Apache Programming Interface (EAPI). In addition, mod_ssl interfaces with the OpenSSL libraries for encryption, decryption, and other services.
SSL in Apache (HTTPS) typically runs on port 443, the standard HTTP-SSL port registered with IANA. However, you can configure it to run on any other port. by creating a virtual host to handle the HTTPS content.
To enable mod_ssl, select ssl_module in the Modules pane in Server Admin, click Save and then restart the Web service.
You can find documentation for mod_ssl on your Mac OS X Server computer at /Library/Documentation/Services/apache_mod_ssl/index.html.