Apple Deprecates SHA-1 Certificates in macOS Catalina and iOS 13

In a new support document, Apple has indicated that macOS Catalina and iOS 13 drop support for TLS certificates signed with the SHA-1 hash algorithm, which is now considered to be insecure. SHA-2 is now required at a minimum.


Apple says all TLS server certificates must comply with these new security requirements in macOS Catalina and iOS 13:
  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
Effective immediately, any connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in macOS Catalina and iOS 13, according to Apple.

Google, Microsoft, and Mozilla all deprecated SHA-1 certificates in 2017.

Related Roundups: iOS 13, iPadOS, macOS Catalina
Tags: Safari, SHA-1

This article, "Apple Deprecates SHA-1 Certificates in macOS Catalina and iOS 13" first appeared on MacRumors.com

Discuss this article in our forums

Apple Previews New Privacy-Focused Ad Tracking Solution Coming to Safari Later This Year

Apple today previewed a new Safari feature called Privacy Preserving Ad Click Attribution that it says will allow advertisers to measure the effectiveness of their ad campaigns on the web without compromising user privacy.


In a blog post, WebKit engineer John Wilander explains that ad click attribution has traditionally been done through the use of cookies and so-called "tracking pixels," allowing both the advertiser and the website where the ad was placed to know when someone has clicked on an ad and later purchased something.

Wilander says the traditional method of ad click attribution has no practical limit on data, allowing for full cross-site tracking of users using cookies. "We believe this is privacy invasive and thus we are obliged to prevent such ad click attribution from happening in Safari and WebKit," he wrote.

Thus, Apple has proposed a modern solution that it says doesn't allow for cross-site tracking of users but does provide a means of measuring the effectiveness of online ads. The feature is built into the browser itself and runs on-device, meaning that the browser vendor does not see any of the ad data.

Here is Apple's summary of its privacy considerations for the feature:
  • Only links served on first-party pages should be able to store ad click attribution data.
  • Neither the website where the ad click happens nor the website where the conversion happens should be able to see whether ad click data has been stored, has been matched, or is scheduled for reporting.
  • Ad clicks should only be stored for a limited time, such as a week.
  • The entropy of both ad campaign ID and conversion data needs to be restricted to a point where this data cannot be repurposed for cross-site tracking of users. We propose six bits each for these two pieces of data, or values between 0 and 63.
  • Ad click attribution requests should be delayed randomly between 24 to 48 hours. This makes sure that a conversion that happens shortly after an ad click will not allow for speculative cross-site profiling of the user. The randomness in the delay makes sure the request does not in itself reveal when during the day the conversion happened.
  • The browser should not guarantee any specific order in which multiple ad click attribution requests are sent, since the order itself could be abused to increase the entropy and allow for cross-site tracking of users.
  • The browser should use an ephemeral session aka Private or Incognito Mode to make ad click attribution requests.
  • The browser should not use or accept any credentials such as cookies, client certificates, or Basic Authentication in ad click attribution requests or responses.
  • The browser should offer a way to turn ad click attribution on and off. We intend to have the default setting to be on to encourage websites to move to this technology and abandon general cross-site tracking.
  • The browser should not enable ad click attribution in Private/Incognito Mode.
Privacy Preserving Ad Click Attribution is available as an experimental feature in Safari Technology Preview 82 and later. To turn on the feature, enable the Develop menu and navigate to the Experimental Features submenu.

Apple says the feature will be turned on for web developers later this year. The company has also recommended it as a web standard to the W3C.


This article, "Apple Previews New Privacy-Focused Ad Tracking Solution Coming to Safari Later This Year" first appeared on MacRumors.com

Discuss this article in our forums

Two Zero-Day Vulnerabilities Discovered in Safari for Mac on Day One of Pwn2Own Hacking Contest

The 19th annual CanSecWest security conference is underway in Vancouver, Canada, including the annual Pwn2Own hacking contest, and two zero-day security vulnerabilities have so far been discovered in Safari on macOS.


The contest kicked off on Wednesday with security researchers Amat Cama and Richard Zhu teaming up against Safari. The duo successfully exploited the browser and escaped the sandbox by using a combination of an integer overflow, heap overflow, and brute force technique, earning them $55,000.

Later in the day, a trio of Niklas Baumstark, Luca Todesco, and Bruno Keith targeted Safari with a kernel elevation. They demonstrated a complete system compromise, but it was only a partial win since Apple supposedly already knew of one of the bugs used in the demo. They still netted $45,000.


In total, participants were awarded $240,000 on day one of Pwn2Own. Day two of the contest is currently underway. All exploits discovered during the contest are reported to the necessary companies like Apple so they can be patched.


This article, "Two Zero-Day Vulnerabilities Discovered in Safari for Mac on Day One of Pwn2Own Hacking Contest" first appeared on MacRumors.com

Discuss this article in our forums

iOS 12.2 and Safari 12.1 for macOS Include Updated Intelligent Tracking Prevention Feature

Safari in the iOS 12.2 beta and Safari 12.1 for macOS High Sierra and Mojave includes an updated version of Intelligent Tracking Prevention, according to details shared on Apple's WebKit blog.

ITP 2.1, as Apple is calling it, caps client-side cookie storage to seven days. After this time period, cookies expire. As outlined by Apple, this offers improvements in privacy, security, and performance. From Apple's WebKit blog:
- Cross-site trackers have started using first-party sites' own cookie jars for the purpose of persistent tracking. The first-party storage space is especially troublesome for privacy since all tracker scripts in the first-party context can read and write each other's data. Say social.example writes a user tracking ID as a news.example first-party cookie. Now analytics.example, adnetwork.example, and video.example can leverage or cross pollinate that user tracking ID through their scripts on news.example.

- Cookies available in document.cookie can be stolen by speculative execution attacks on memory. Therefore, they should not carry sensitive information such as credentials.

- Cookies available in document.cookie can be stolen by cross-site scripting attacks. Again, therefore, they should not carry sensitive information such as credentials.

- The proliferation of cookies slows down page and resource loads since cookies are added to every applicable HTTP request. Additionally, many cookies have high entropy values which means they cannot be compressed efficiently. We come across sites with kilobytes of cookies sent in every resource request.

- There is a size limit on outgoing cookie headers for performance reasons, and websites risk hitting this limit when cross-site trackers add first-party cookies. We've investigated reports of news site subscribers getting spuriously logged out, and found that trackers were adding so many cookies that the news site's legitimate login cookie got pushed out.
The cookie storage limits will not log users out as long as websites are using the appropriate authentication cookies because it only affects cookies created through document.cookie.

ITP 2.1 also allows for just a single set of cookies per site rather than multiples, and third party tools with cross-site tracking capabilities need to use the Storage Access API to get cookie access.

Apple says this change simplifies cookie behavior for developers, lowers the memory footprint of Safari, and makes Intelligent Tracking Prevention compatible with more platforms.

A verified partitioned cache for cutting down on cache abuse for tracking purposes is also included, and as we covered earlier this month, support for Do Not Track has been disabled.

Apple says that it is removing Do Not Track because most websites never paid any attention to it since it was opt-in and could be ignored.
The DNT project recently ended without the publication of a standard, in part "because there has not been sufficient deployment of these extensions (as defined) to justify further advancement." Given the lack of deployment of DNT and Safari's on by default privacy protections such as ITP, Safari removed support for DNT so that users are not presented with a misleading and ineffective privacy control that, if anything, only offered additional browser fingerprinting entropy.
Additional details on the Intelligent Tracking Prevention updates being introduced are available via Apple's full WebKit blog post.

Tag: Safari

This article, "iOS 12.2 and Safari 12.1 for macOS Include Updated Intelligent Tracking Prevention Feature" first appeared on MacRumors.com

Discuss this article in our forums

Apple Removes Useless ‘Do Not Track’ Feature From Latest Beta Versions of Safari

In the release notes for Safari 12.1, the new version of Apple's browser installed in iOS 12.2, Apple says that it is removing support for the "Do Not Track" feature, which is now outdated.

From the release notes: "Removed support for the expired Do Not Track standard to prevent potential use as a fingerprinting variable."

Do Not Track is no longer an option in iOS 12.2, as seen in iOS 12.2 screenshot on left. iOS 12.1.3 screenshot on right.

The same feature was also removed from Safari Technology Preview today, Apple's experimental macOS browser, and it is not present in the macOS 10.14.4 betas. According to Apple, Do Not Track is "expired" and support is being eliminated to prevent its use as, ironically, a fingerprinting variable for tracking purposes.

"Do Not Track" is an outdated feature that was added to Safari quite a long time ago, first showing up in OS X Lion in 2011. Proposed by the FTC, "Do Not Track" is a preference that is sent by a user's browser to various websites requesting that advertising companies not use tracking methods.

It is entirely up to the advertising companies to comply with the "Do Not Track" messaging, and it has no actual function beyond broadcasting a user preference. All it does is say something to the effect of "hey, I prefer not to be tracked for targeted advertisements," which websites, advertisers, and analytics companies are free to ignore.

In the settings for Safari in iOS 12.2, Apple is no longer listing "Do Not Track" as a setting that can be toggled off or on, and in the Safari Preview browser, "Ask websites not to track me" is no longer listed as an option.


To replace Do Not Track, Apple has been implementing much more stringent Intelligent Tracking Prevention options, which do actually have a tangible effect and prevent the tracking methods that many advertisers and analytics sites use to detect your cross-site internet browsing.

Related Roundups: macOS Mojave, iOS 12
Tag: Safari

This article, "Apple Removes Useless 'Do Not Track' Feature From Latest Beta Versions of Safari" first appeared on MacRumors.com

Discuss this article in our forums

Apple to Limit Accelerometer and Gyroscope Access in Safari on iOS 12.2 for Privacy Reasons

Last month, Apple released iOS 12.2 in beta with several new features, including the Apple News app in Canada, a redesigned TV remote in Control Center, support for adding HomeKit-enabled TVs in the Home app, and more.

The upcoming software update also introduces a new Motion & Orientation Access toggle under Settings > Safari > Privacy & Security. Toggled off by default, this new setting must be turned on in order for websites to display features that rely on motion data from the gyroscope and accelerometer in the iPhone, iPad, and iPod touch.


To test this, we loaded the What Web Can Do Today website on an iPhone running the first beta of iOS 12.2. With the Motion & Orientation Access setting toggled on, the page shows real-time accelerometer and gyroscope data from the iPhone. With the setting toggled off, no motion data is shown.

Another example is Apple's motion-based iPhone experience site. This page normally allows you to tilt your actual iPhone to swivel the iPhone XS Max on the screen with tech specs. With Motion & Orientation Access toggled off, however, only a static image of the iPhone XS Max is shown without tech specs.


This privacy-focused change could be in response to a WIRED report last year that claimed thousands of websites have unmitigated access to motion, orientation, proximity, and light sensor data on mobile devices.

As noted by Digiday, the setting could have implications for AR/VR advertising:
For example, Samsung's "Samsung Within" web-based interactive experience, developed by R/GA to promote the hardware brand's legacy and its Galaxy Note 9 phone, uses the accelerometer to let people explore the night sky.

"It's definitely going to break things," said Kai Tier, executive technology director at R/GA.
These AR/VR experiences may have to rely on fallback versions that people can navigate with swipe gestures instead, but this largely defeats the purpose of motion-based, interactive campaigns.

It's quite possible Apple could tweak how this feature works in time for the public release of iOS 12.2. Perhaps the setting will be toggled on by default in a subsequent beta, for example, or Safari could prompt users for permission to access motion data when necessary as it does with location data.

Related Roundup: iOS 12
Tag: Safari

This article, "Apple to Limit Accelerometer and Gyroscope Access in Safari on iOS 12.2 for Privacy Reasons" first appeared on MacRumors.com

Discuss this article in our forums

Still Running OS X Yosemite? Beware, iTunes 12.8.1 Breaks Safari

Apple this week released iTunes 12.8.1 for OS X Yosemite up to macOS High Sierra. The minor update resolves an issue that prevented iTunes from streaming media to third-party AirPlay speakers, and contains other minor improvements.


However, anyone running OS X Yosemite 10.10.5 specifically should avoid updating to iTunes 12.8.1 for now, as users across the MacRumors Forums, Twitter, Reddit, and Stack Exchange report that the update somehow breaks Safari 10.1.2, the latest version of the browser for OS X Yosemite.

After updating to iTunes 12.8.1, some users have encountered the following error message when opening Safari on OS X Yosemite:
Safari cannot be opened because of a problem.

Check with the developer to make sure Safari works with this version of Mac OS X. You may have to reinstall the application. Be sure to sure to install any available updates for the application and Mac OS X.
One user on Stack Exchange believes that the iTunes 12.8.1 update may update /System/Library/PrivateFrameworks/MobileDevice.framework to a version incompatible with Safari 10.1.2, but the cause is not entirely clear. We've flagged the issue with Apple and asked if and when a fix will be available.

In the meantime, workarounds include using an alternative browser such as Firefox or upgrading to a newer macOS version — of course, those still using OS X Yosemite likely don't want to or can't upgrade. Updating to iTunes 12.9 is not possible on OS X Yosemite, as that version is only compatible with macOS Mojave.

We'll update this article when a fix is available.

Tags: Safari, iTunes

Discuss this article in our forums

How to Perform a Quick Website Search in Safari

There are several ways to search the web in Apple's Safari browser. In this article, we're going to highlight a way of searching specific websites using a lesser-known Safari feature called Quick Website Search. The option is designed to work with sites that have a built-in search field, like the one you can find at the top of the main page at MacRumors.com. Here's how it works.


Let's say you want to look up articles on MacRumors that mention device benchmarks. You might do this by typing "macrumors benchmarks" into Safari's address bar to get results from whichever search engine the browser is configured to use. If you're a bit more search savvy, you might even type "site: macrumors.com benchmarks" to limit the search to MacRumors. But ideally you'd just navigate to MacRumors.com and use the search field provided at the top of the page.


If you take the latter option and Quick Website Search is enabled, Safari will remember that you've used the MacRumors search field and offer to use it again in future searches that include the website's name. For example, if you typed "macrumors" followed by "deals" directly into Safari's address bar, you could tap the option Search macrumors.com for "deals" in the suggestions box, as shown above, and you'd get instant results from MacRumors' own on-site search function.

How to Enable Quick Website Search in iOS


The functionality of Quick Website Search depends on how a given site implements its search field, but we've found that it works with most popular websites that offer them, so it's worth making sure you have the feature enabled. To do this on iPhone and iPad, launch the Settings app, tap Safari -> Quick Website Search and slide the Quick Website Search toggle to the green ON position.


Notice on this screen that you can also tap Edit to remove websites from the list of shortcuts that Safari automatically adds to whenever you use a site-specific search field.

How to Enable Quick Website Search on Mac


The feature works the same way in Safari for macOS. To see if it's enabled, select Safari -> Preferences... from the menu bar, choose the Search tab, and make sure the checkbox is ticked next to Enable Quick Website Search.


Lastly, if you click the Manage Websites... button next to the checkbox, you can view Safari's list of website shortcuts, remove individual websites, or clear the list completely.

Tag: Safari

Discuss this article in our forums

How to View the Desktop Version of a Website on Your iPhone and iPad

Most popular websites these days come in both desktop and mobile versions, with the latter rendering content in a more responsive fashion for a consistent browsing experience across a variety of tablet and smartphone screens.

Mobile-friendly websites are often stripped down and streamlined for easier navigation, with the result that some full-page content isn't displayed at all – and even when it is, finding that content can sometimes be a chore, especially if you're used to the desktop version of a site.

Recognizing this, Apple has had the foresight to let you bypass mobile versions of websites and view original desktop versions on its mobile devices instead. To request a desktop site on your iPhone and iPad, simply follow these steps.

  1. Launch Safari on your iOS device and navigate to the website in question.

  2. Long press the Reload button in the far right of the address bar.

  3. On iPhone, tap Request Desktop Site at the bottom of the screen. On iPad, the same option appears in the dropdown menu below the Reload button.

Note that you can also access this option by tapping the Share button (the square with an arrow pointing out) and selecting Request Desktop Site from the third row of the Share Sheet.

With that done, Safari should remember your preference for that particular website and load the desktop version the next time you visit it.

Related Roundup: iOS 12
Tag: Safari

Discuss this article in our forums

Apple Removes Questionable Web Links From Siri Suggestions

Apple has removed a number of results from Siri Suggested Websites after BuzzFeed highlighted several examples of the feature offering up "debunked conspiracies, shock videos, and false information."

Siri Suggested Websites is an optional feature in Safari that serves up auto-completed suggestions based on what the user starts typing into the browser's search bar. Results are curated by Apple and can include links sourced from things like Wikipedia, YouTube, and the iTunes Store.

Basically, BuzzFeed News stoked controversy by pointing out that if users typed in, say, "Pizzagate," the Siri feature would return links to YouTube videos by conspiracy theorist peddler David Seaman. From the article:
"Such results raise questions about the company's ability to monitor for low-quality information, and provide another example of the problems platforms run into when relying on algorithms to police the internet."
Incidentally, the link didn't actually work because YouTube previously removed the video for violating YouTube's terms of service. So whichever way you look at it, Apple's algorithm-driven suggestions aren't doing their job very well.

BuzzFeed informed Apple of this and several other "low quality" Siri Suggestions highlighted in the article, and Apple has since removed them. The company also provided the site with the following statement:
"Siri Suggested Websites come from content on the web and we provide curation to help avoid inappropriate sites. We also remove any inappropriate suggestions whenever we become aware of them, as we have with these. We will continue to work to provide high-quality results and users can email results they feel are inappropriate to applebot@apple.com."
The questionable Siri Suggestions are reportedly caused by a "data void," which is what happens when a term doesn't have "natural informative results" and manipulators capitalize upon it. "Many of the sites surfaced by the Siri Suggested feature came from conspiracy or junk sites hastily assembled to fill that void," BuzzFeed concludes.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Tag: Safari

Discuss this article in our forums