Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It’s nice to see a bit of Safari love around here. Some sites occasionally break, but I really like the macOS/iOS integrations. SMS code autofill on desktop Safari (via Mac <-> iPhone communication) is pretty awesome.


It’s nice to see a bit of Safari love around here.

The one thing I cannot stand is that fucking URL/search bar (I detest these things in general, but Safari has the worst implementation). Most implementations (e.g. Firefox and Chrome) will encode the space and go on their way, meanwhile Safari translates a space into a search unconditionally — because clearly I want my wikipedia viewing history to end up in my search history FFS. I'm also not a fan of view source opening in a dev tools frame versus a new tab/window like Chrome and Firefox.

Speaking of the dev tools, I was just poking around and saw this in the console:

[Info] Successfuly preconnected to https://securepubads.g.doubleclick.net/

[Info] Successfuly preconnected to https://aax.amazon-adsystem.com/

Interesting as I'm running uBlock Origin (which is, admittedly, more neutered on Safari). I know I've disabled that prefetching before, but I no longer see any options to turn it off. Speaking of UBO, Safari loves to claim UBO will increase energy consumption and slow down my browsing (HA). I wonder if the "disable plugins to save energy" option means that Safari will kill uBlock whenever it feels like. :/


> Most implementations (e.g. Firefox and Chrome) will translate a space into a search unconditionally.

What would you rather have it do? URL encode it?


What would you rather have it do? URL encode it?

Yes. I missed a few words on the original edit.


Doesn't that defeat the purpose of MFA?


No... the computer is a second factor just as much as a phone. Something you know (password) + something you have (computer) = MFA


If they already have your phone, you're already pwned.


>If they already have your phone, you're already pwned.

No, that's not what GP means. If the attacker manages to get malware on the Mac, for example by exploiting a browser 0day, then the attacker can simply circumvent the 2FA by making the Mac fetch the 2FA code. The user won't notice it.


If the attacker manages to get malware on the mac, they can also wait for you to do a login, and steal your 2fa code as you enter it.


Or just steal your session tokens. Not all apps are secure enough to prevent session roaming.


Or just remote drive your session. Token exfiltration isn't required if you can do XSS or say script injection via browser extensions (and exfiltration is more likely to hit anomaly/fraud detection)


Same could be said of the phone, right? A zero day on the phone would circumvent the 2FA.

Really, the SMS part is the actual weak link in the chain. Easier to hijack SMS than own a computer or phone.


> Easier to hijack SMS than own a computer or phone.

That depends on the country, in Germany it's way more difficult.


Why would you say that? All it takes is one telco employee taking a bribe or screwing up some configuration or...


Why?


I noticed this the other day and was very pleased.

Also, if you have touchID then you can use it on safari to autofill login credentials. I just wish safari had an active plugin ecosystem like firefox (or chrome) does.


Apple did their best to kill that ecosystem stone cold. I guess the current situation is unlikely to change anytime soon.


When my bank sends a login token via SMS, Safari can also copy the token out from iMessage and autofill the value - which is quite convenient, but also a little too much for my preference.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: