How safe is Apple’s Safe Browsing?

This dawn brings new and agitate news from the domain of Apple. It appears that, at least on io 13, Apple is sharing some part of your web browsing history with the chinese pudding stone Tencent. This is being done as separate of Apple ’ s “ Fraudulent Website Warning ”, which uses the Google-developed Safe Browsing engineering as the bet on end. This feature appears to be “ on ” by default in io Safari, meaning that millions of users could potentially be affected .
apple-safari-ip-addresses-tencent-2
As is the standard for this kind of news, Apple hasn ’ metric ton provided much — well, any — detail on whose browsing history this will affect, or what screen of privacy mechanisms are in place to protect its users. The changes credibly affect merely Chinese-localized users ( see Github commits, courtesy Eric Romang ), although it ’ s difficult to know for sealed. however, it ’ s luminary that Apple ’ s warning appears on U.S.-registered iPhones .
Regardless of which users are affected, Apple hasn ’ t said much about the privacy implications of shifting Safe Browsing to use Tencent ’ sulfur servers. Since we lack concrete information, the best we can do is talk a bit about the engineering and its implications. That ’ s what I ’ thousand going to do below .

What is “Safe Browsing”, and is it actually safe?

respective years ago Google noticed that vane users tended to blunder into malicious sites as they browsed the web. This included phishing pages, ampere well as sites that attempted to push malware at users. Google besides realized that, due to its alone advantage luff, it had the most comprehensive list of those sites. surely this could be deployed to protect users.

The result was Google ’ s “ safe browse ”. In the earliest version, this was merely an API at Google that would allow your browser to ask Google about the safety of any URL you visited. Since Google ’ randomness servers received the full moon URL, ampere well as your IP cover ( and possibly a track cookie to prevent denial of service ), this first API was kind of a privacy nightmare. ( This API however exists, and is supported today as the “ Lookup API “. )
To address these concerns, Google promptly came up with a safer approach to, um, “ safe shop ”. The new approach was called the “ Update API ”, and it works like this :

  1. Google first computes the SHA256 hash of each unsafe URL in its database, and truncates each hash down to a 32-bit prefix to save space.
  2. Google sends the database of truncated hashes down to your browser.
  3. Each time you visit a URL, your browser hashes it and checks if its 32-bit prefix is contained in your local database.
  4. If the prefix is found in the browser’s local copy, your browser now sends the prefix to Google’s servers, which ship back a list of all full 256-bit hashes of the matching  URLs, so your browser can check for an exact match.

At each of these requests, Google ’ second servers see your IP address, adenine well as other identifying information such as database state. It ’ south besides possible that Google may drop a cookie into your browser during some of these requests. The safe Browsing API doesn ’ t say much about this today, but Ashkan Soltani noted this was happening back in 2012 .
It goes without saying that Lookup API is a privacy calamity. The “ Update API ” is much more private : in principle, Google should only learn the 32-bit hashes of some crop requests. furthermore, those truncated 32-bit hashes won ’ metric ton precisely reveal the identity of the URL you ’ ra access, since there are probable to be many collisions in such a short identifier. This provides a shape of k- anonymity .
The weakness in this approach is that it entirely provides some privacy. The typical exploiter won ’ deoxythymidine monophosphate merely visit a single URL, they ’ ll browse thousands of URLs over time. This means a malicious provider will have many “ bites at the apple ” ( no pun intended ) in order to de-anonymize that drug user. A user who browses many relate websites — say, these websites — will gradually leak details about their shop history to the supplier, assuming the provider is malicious and can link the requests. ( Updated to add : There has been some academic research on such threats. )
And this is why it ’ s sol important to know who your supplier actually is .

What does this mean for Apple and Tencent?

That ’ s ultimately the wonder we should all be asking.

The trouble is that condom Browsing “ update API ” has never been precisely “ dependable ”. Its aim was never to provide sum privacy to users, but preferably to degrade the quality of browsing data that providers collect. Within the menace model of Google, we ( as a privacy-focused community ) largely concluded that protecting users from malicious sites was worth the risk. That ’ sulfur because, while Google surely has the brain to extract a bespeak from the noisy Safe Browsing results, it seemed improbable that they would bother. ( Or at least, we hoped that person would blow the pennywhistle if they tried. )
But Tencent isn ’ metric ton Google. While they may be fair as trustworthy, we deserve to be informed about this kind of change and to make choices about it. At identical least, users should learn about these changes before Apple pushes the sport into production, and thus ask millions of their customers to trust them .

We shouldn’t have to read the fine print

When Apple wants to advertise a major privacy feature, they ’ re damned good at it. As an model : this by summer the party announced the free of the privacy-preserving “ Find My ” have at WWDC, to far-flung acclaim. They ’ ve besides been felicitous to claim credit for their bring on encoding, including technology such as iCloud Keychain .
But recently there ’ second been a troubling secrecy out of Cupertino, by and large related to the company ’ south interactions with China. Two years ago, the company moved much of iCloud waiter infrastructure into mainland China, for default option function by chinese users. It seems that Apple had no choice in this, since the go was mandated by taiwanese law. But their hush was deafening. Did the motivate involve transferring key servers for end-to-end encoding ? Would non-Chinese users be affected ? Reporters had to drag the answers out of the company, and we silent don ’ t know many of them .
In the Safe Browsing change we have another exercise of Apple making significant modifications to its privacy infrastructure, largely without publicity or announcement. We have learn about this gorge from the fine print. This border on to privacy issues does users around the world a disservice .
It increasingly feels like Apple is two different companies : one that puts the exemption of its users first, and another that treats its users identical differently. possibly Apple feels it can navigate this rip personality disorder and still maintain its integrity.

I very much doubt it will work .

Leave a Reply

Your email address will not be published.