SSL just tells you that the connection between you and that website will be encrypted. It doesn't tell you much about the actual website you're connected to. EvilSite.com can get an SSL certificate for less than $100 with little or not background check. With EV Certs (extended validation certificates) the site must go through a more substantial audit and that audit should give you more confidence that you're connecting to the real PayPal, for example, and not PayyPall (a fictional bad guy site.)

For EV Certs, the issuers must pass an independent audit and they must all follow the same guidelines when issuing an EV Cert:

* Establish the legal identity as well as the operational and physical presence of website owner;
* Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
* Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

This should make it more difficult for the bad guys and give users more information about those who do get issued an EV Cert (their physical address, for example.)

The other issue that's got PayPal concerned (and many others, including Mozilla) is phishing. Firefox has a built in Phishing Protection feature that warns you when you've ended up on a site known to be a phishing site. This is another way that you can know you're at the real PayPal and not PayyPall. IE 7 has a some protection against phishing too.

Safari has many great attributes, but helping users stay safe on the Web of 2008 isn't at the top of that list and I hope they release an update soon that has both EV Certs and some form of phishing protection. They're the third most popular browser and with a user base in the millions, they've got a real responsibility to stay competitive with the leading browsers.

Firefox and IE have both stepped up on this and so should Safari.

– A