Safari 1.2.3 (#2): Possible fix for non-secure site connectivity issue; update on dialog box vulnerability
Safari 1.2.3 (#2): Possible fix for non-secure site connectivity issue; update on dialog box vulnerability
Possible fix for connectivity issue where only secure sites can be accessed Yesterday we noted an issue where Safari 1.2.3 refuses to connect to any sites but those that are secure (i.e. https://). Other browsers are unaffected for users experiencing the issue.
We've since identified a workaround that has been corroborated as successful by MacFixIt readers experiencing this problem.
- In the Network pane of System Preferences, access the "Show:" pull-down menu, and select the network interface you are using (Ethernet, AirPort, Internal modem, etc.)
- Click "Proxies."
- If it is checked, uncheck Web Proxy (HTTP).
- Click Apply Now.
- Open Safari and try accessing a non-secure (http://) site.
MacFixIt reader Brian is one reader who had success with this solution:
"I was having the same problem, but it was effecting *every* out-going non-secure TCP/IP connection (not just Safari). This was at my work where we all have assigned/static IPs. After hours of troubleshooting trying different IPs provided by our IS people, changing the order of the DNS entries, etc. I stumbled upon the problem.
"As I was poking around in the Ethernet Configuration panel(s) I found that my Web Proxy (HTTP) was enabled with the address for the VPN tunnel that I use when I'm at home. I have no idea how this proxy became enabled as I do not use proxies at all and I am the sole user/administrator to my PowerBook, but as soon as I removed the proxy, all was back to normal."
Opposite problem -- only http://, and not https:// sites can be accessed Meanwhile, a few readers (all of the reports we've had so far are from users running Mac OS X 10.2.x) note an opposite problem -- they can only access http:// sites and not secure https:// sites.
MacFixIt reader Bill writes "I am experiencing the opposite problem. Safari can connect to any http:// site but can't find many https:// sites, such as the Yahoo mail secure login page. I have to use ugh -- Internet Explorer/"
Alan Robinson adds "Isn't intriguing that people with 10.3.x seem able to connect ONLY to secure servers , while with 10.2.8, I find the opposite : I can connect to http servers but to no secure servers."
Update on dialog box vulnerability Yesterday we also noted a vulnerability reported by Secunia where inactive windows can launch dialog boxes so they appear to be displayed by a web site in another window. This can be exploited by a malicious web site to show a dialog box, which seems to originate from a trusted web site.
Several MacFixIt readers tried to replicate the vulnerability (using Secunia's test) but did not see inactive windows generating the problematic dialog boxes when using tabs.
Secunia, made aware of the reader experiences, has modified its report on the vulnerability to exclude tabs. A company representative writes:
"You are right the vulnerability does not work in Safari if opened in tabs.
"However, it does work if the link is opened in a new window (We also described this in our advisory about Safari) and we have updated our test with a note about this.
Feedback? Late-breakers@macfixit.com.
Resources