Last week, Apple released Safari 3.2 through Software Update. The release notes detailed a number of security fixes, mainly for Windows. So we didn’t think much about it here. However it turns out to have two significant, undocumented new security features. There has been chatter on the Net about these features since Safari 3.2 was released, and TidBITs has recently published an excellent overview of the features and their utility (or lack thereof).

The two features are anti-phishing warnings and indication if a secure site is using an Extended Validation digital certificate. These features are thus opposites. If you go to a “very bad” site, one which is believed (by Google, it turns out) to be a phishing or otherwise fraudulent site, you get a warning to that effect and are asked if you want to continue. On the other hand, if you go to a “very good” site, one which is using an advanced form of digital certificate to verify its identity, you get a visual indicator as to this fact (the name of the company appears in green by the lock icon in the upper right corner).

TidBITS rightly questions the utility of both these features. Anti-phishing is similar to anti-virus, in that the most recent phishing sites will probably not be on the list. TidBITS actually tried some of the most recent scams and didn’t get a warning when they went to the associated sites. And the visual indicator for Extended Validation certificates is very easy to miss, and hard for novices to understand what it means. The EV certificates themselves are of questionable merit, since they basically simply mean that a big company had enough money to pay for one, and the extra vetting process that is involved.

Both of these new features, however, are becoming marketing “check marks” for Web browsers, so perhaps Apple felt they needed to implement those features for that reason. And maybe that reason is also why they “neglected” to document the features in their release notes.