Safari always automatically prompts for approval before downloading files, and prevents some high-risk files (.exe's, .scr's, etc.) from being executed before downloading. Safari also has good default cookie control. It is the only browser among those I tested to prevent all writes by third-party cookies by default, which is a nice privacy bonus (and no doubt frustrating to ad vendors).
On Mac OS X systems, Safari's passwords are protected by Apple's Keychain password management system. But even on Windows, Safari's locally stored passwords are well protected. As in Internet Explorer, stored Web site passwords are never displayed. However, Safari took dead last in remote password handling, passing only 2 of 21 tests on the Password Manager Evaluator Web site.
Settings and ciphers
An optional menu called Develop (which replaces the previous Debug menu option) can be added to the menu bar to speed up Web page development testing, but it also has significant global security impacts. The Develop menu allows the user to quickly open a current Web page in another installed Web browser or to change User Agent strings on the fly (to see how the change affects Web page rendering). Installed plug-ins can be viewed -- but not enabled or disabled -- via an option under Safari's Help menu.
Safari is weaker than its competitors in several areas regarding digital certificates and SSL/TLS (Secure Sockets Layer/Transport Layer Security) traffic. Initially, in SSL/TLS negotiations, TLS with RSA and weak 128-bit RC4 keys are offered first and second in the cipher order. Worse, ECC (Elliptical Curve Cryptography), AES (Advanced Encryption Standard), and 256-bit keys are never offered as potential cipher choices; further, MD5 is offered first and more frequently than SHA-1, when it should be the other way around. It would seem that Apple hasn't been paying attention to crypto developments over the last few years.
Safari does warn of invalid digital certificates, but it isn't nearly as "in your face" as the other top browsers. It warns only once with a small pop-up message, whereas competitors literally change the entire Web page to red or multicolored warnings. Come to think of it, maybe Safari has it right: better to display one warning than many for a single problem. But then Safari fails to highlight the true domain name, as IE and Chrome do, making it more difficult to tell phishing sites from the real thing. Safari does point out Extended Validation (EV) certificates, as do all of its competitors.