Apple’s Safari has dropped the ball on security

Apple Chief Executive Officer Tim Cook speaks at the Apple Worldwide Developer conference in San Jose, California, U.S., June 4, 2018. REUTERS/Elijah Nouvelage
Apple Chief Executive Officer Tim Cook speaks at the Apple Worldwide Developer conference in San Jose, California, U.S., June 4, 2018. REUTERS/Elijah Nouvelage

News this week from Twitter (TWTR) about a helpful security option left out a five-word warning: “Safari users need not apply.”

That’s because—not for the first time—that Apple (AAPL) browser has yet to support a security advance. Even as Safari has excelled at protecting privacy on the web, it’s trailed competitors Google (GOOG, GOOGL), Microsoft (MSFT) and Mozilla in defending against other online menaces.

That’s left people with an uncomfortable choice: First-rate security or first-rate privacy in a browser, but not both.

On the one hand, Safari keeps advertisers from following you around but makes it harder to secure your accounts. Meanwhile, Google’s Chrome provides strongest the armor against online attackers but does too much to indulge the creepier instincts of online marketers. You shouldn’t be happy about that.

A key to account security

Apple’s security lag is most obvious in the feature Twitter added: universal two-factor authentication, in which you verify a login by plugging a cryptographically-signed USB key into your computer.

“U2F” protects against somebody stealing your password and neatly solves major problems with phone-based two-step verification, the most common sort.

Confirming a login with a one-time code sent via text message to your phone won’t work without a cellular signal, such as on most planes. It can also be defeated if an attacker convinces a customer-service rep at your wireless carrier to transfer your number to another device.

Having a smartphone app like Google’s Authenticator calculate confirmation codes eliminates the cellular-connectivity and account-takeover risks. But reconfiguring this app every time you switch devices is—as Google security product manager Stephan Somogyi told me last July—“a complete, total and unmitigated pain.”

Chrome has supported U2F since 2014. This spring, Microsoft and Mozilla said they would support a successor standard, WebAuthn, in their Edge and Firefox browsers. In May Firefox did just that—although Google accounts still rely on the older U2F standard that won’t work in Firefox until you enable a hidden option.

Apple, however, has remained opaque on this point. It does have employees participating in the WebAuthn development process, but the possible-features list of Safari’s WebKit open-source foundation only shows this option as “Under Consideration.” Apple pointed to those two details but did not clarify its intentions. Not for the first time, its instinctive secrecy does it no favors.

The history here suggests no rush to adopt WebAuthn. Joseph Lorenzo Hall, chief technologist with the Center for Democracy & Technology, observed in email that “Apple is frequently late to do standards”—though he expects the company to welcome this one eventually.

Enlightening users about encryption

Safari has also trailed its competitors in web encryption, which stops your internet provider and any third parties online from recording passwords you type or tracking your browsing history beyond the domain names of sites you visit.

For instance, Chrome began warning of unencrypted fields for passwords and credit-card numbers at the start of 2017. Apple didn’t add its own alert for such sensitive data input—a “Not Secure” label in prominent red type—until the end of March.

And while Chrome already adds an “i” logo icon to the address of unencrypted sites, which when clicked warns that they’re not secure, Safari offers no such heads-up that a site won’t stop third-party eavesdropping. July’s update to Chrome should make this advisory more obvious with a “Not secure” label atop every unencrypted page.

These warnings matter because most people don’t recognize traditional browser hints about site security. Last March, the Pew Research Center released a survey finding that only a third of Americans knew that an “https” prefix in a site address meant it used encryption.

A similar pattern prevailed after security researchers confirmed that a widely used encryption algorithm called SHA-1 could be readily defeated. Chrome was the first major browser to label pages using SHA-1 encryption “not secure,” starting in 2015; by early 2016, it began blocking those pages.

Firefox followed suit in February of 2017, Edge in May—but Apple did not take the same step until October of that year. Fortunately, most SHA-1 holdouts had upgraded their encryption by then, in part because of Google’s public shaming.

But what if you also value privacy?

Meanwhile, Google has also been quicker and more open in its responses to such threats as the Spectre and Meltdown Intel (INTC) processor vulnerabilities, which could let an attacker peek at data on your computer, and “forced-redirect” ads that hijack browsing sessions. These and other reasons should explain why so many security professionals run Chrome on their Macs.

But while going with the flow (Chrome has a 62.9% share of the desktop browser market, according to NetApplications surveying) and using Chrome can strengthen your security online, it raises other problems. Beyond the issues involved in giving Google even more of your time, Chrome falls short of Safari in protecting your privacy from ad networks and other trackers.

At its Worldwide Developer Conference in June, Apple announced even stronger privacy defenses: automatic blocking of Facebook (FB) Like and Share buttons that let the social network follow you around sites, backed by measures to impede sites from generating a “fingerprint” of your browser to circumvent Safari’s tracking prevention.

“I think the privacy thing has gotten totally out of control,” Apple CEO Tim Cook complained to CNN in an interview that week.

Firefox approaches Safari’s privacy protection, but its own tracking prevention isn’t on by default.

Can Apple someday match Google on security? CDT’s Hall is cautiously optimistic, and the founder of a security-certificate firm offered a similar perspective. “While Safari is lagging behind Chrome, they are moving in a positive direction that makes me satisfied,” e-mailed Andrew Ayer, founder of SSLMate.

Could Google, in turn, do better on privacy? When asked that question on Twitter in June, Google engineering director Parisa Tabriz replied “Challenge accepted!”

That would be a terrific competition to watch—far better than seeing these two firms squabble over who copied whom first.

Email Rob at; follow him on Twitter at @robpegoraro.

Read more:

How self-driving cars will take to China’s roads

Facebook’s push to kill bad political ads is also hiding regular posts

How Europe’s proposed copyright laws could ruin your search engines

Here’s what it’s like to drive a hydrogen-powered car