How Apple sweats the security details – and sometimes gets it wrong
Privacy and security are selling points for Apple, and it walks the walk – even if it sometimes misses the mark. Dan Moren reports
When it comes to Apple differentiating itself from its Big Tech rivals, there’s one area in which the company has spent a lot of time touting its record: security and privacy. From the App Store to Homekit, Apple talks a lot about making sure that your data stays yours.
This might seem like a no-brainer. After all, we trust our devices with the most intimate details of our lives and we live those lives increasingly online. But while we might think about very obvious places that security is important (like making strong passwords or using two-factor authentication), there are plenty of other ways that our private data can leak out.
Sometimes that means making smaller changes, ones that may not be as understandable or as easily explainable to the average user, but can have just as many significant benefits in the long run. Even just in the past year, Apple has made a few of these moves to help improve security in ways that you may not be thinking about – as well as one or two that haven’t quite managed to help in the way intended.
TRUST BUT CERTIFY
Way back in February 2020,
Apple announced that – starting in September – Safari would no longer accept HTTPS certificates that are older than 13 months. Now, that might not be a sentence that immediately has you nodding your head in complete understanding, but it’s important nonetheless. HTTPS certificates are the cryptographic mechanisms by which websites ensure that your information – name, contact details, credit card numbers – remain encrypted and secure. It’s signified by that little padlock in your browser’s address bar.
So why mandate that those certificates must be a certain age? Think about it like your driver’s license. If you only had to renew your license every ten or twenty years, for example, it might very well be out of date. The picture might not look like you, your address might be old, it might not reflect that you need glasses now. It might even, for example, be easier for somebody else to get hold of your ID and use it for themselves.
By requiring more frequent renewals of these certificates, the browser makes sure that everything stays on the up-and-up. Many companies create lots of certificates for various sites under their control – say for testing or development – and sometimes they’re abandoned when those sites have served their purpose. But because those valid certificates can linger on, they’re ripe for abuse by bad actors.
The good news is: this change has already happened and you
likely haven’t noticed a thing. Plus, Google signed on to do the same for Chrome. Your browsing has already been more secure, and you had to do exactly nothing.
DO NOT SHARE
That’s not the only place Apple has attempted to beef up Internet security. In December, it was announced that the Cupertino-based company had teamed up with web infrastructure and security company Cloudflare to help develop a more secure method for DNS requests.
The Domain Name System is basically the Internet’s phone book. It’s how computers figure out that when you type ‘apple. com’ in your browser, you want to navigate to the website at the IP address ‘17.253.144.10’ (which could actually be a variety of IP addresses, depending on your circumstances, but let’s not get too complicated).
The DNS system is distributed, meaning that there are tons of different servers that store this information, regularly syncing the information among each other. Most Internet users probably use the DNS server provided by their Internet Service Provider, and therein lies the rub. By default, DNS requests are transmitted in plain text instead of being encrypted, so your ISP (or whoever maintains the server) can see every single site you request. That means that information can be used to (at best) profile you for advertising purposes and (at worse) potentially intercept those requests and redirect you to a fake website.
While encrypted DNS requests have started to become more common, Apple and Cloudflare have proposed an additional security measure: oblivious requests. Not only does this encrypt DNS queries, but it passes them through a proxy server – a computer that sits in between your computer and the DNS server. In addition to encoding the content of the requests, the DNS server also can’t tell from whom or where the request originates.
The proposal hasn’t been officially adopted by standards groups yet, but it seems likely that it will be something that Apple is at least considering implementing. Keep an eye out for it in the next year or two.
FIRE THE FIREWALL
Despite the company’s efforts, not every attempt Apple makes at improving security is an unmitigated success. Take, for example, the recent revelation that macos Big Sur exempts certain traffic from being passed through the system’s firewall – namely, traffic from its own apps.
At first blush, this might seem sensible. After all, Apple knows that its own apps are okay, right? The problem with this is that it turns out to be not particularly difficult to exploit one of those approved apps and essentially pass any data through the firewall, without a check. At the time of writing, Apple still hasn’t responded to inquiries about this decision or made any move to change it. Here’s hoping the company addresses the decision in a future OS update.
Any interaction with technology always tries to balance convenience with security, and while in the cases of oblivious DNS and reduced
HTTPS certificate lifetimes Apple may have managed to adroitly walk that line, nobody ever gets it right all of the time. Still, on balance, the trend for Apple definitely seems to be towards improving security, even when it’s in cases that most users will never notice.