At WWDC 2018 yesterday (June 4), Apple gave thousands of developers a sneak peek at upcoming Safari features. The next version of Apple's browser on macOS 10.14 Mojave and iOS 12 will aim to push back against the ad-tracking and browser-fingerprinting techniques that, in the wake of Facebook's Cambridge Analytica scandal, the internet is so afraid of.
The new features are a big deal -- but perhaps not as big of a deal as Apple says they are.
The most noticeable change is that users will receive popups prompting them to grant (or revoke) permission for websites (such as, ahem, Facebook) to use cookies while they browse.
"You can decide to keep your information private," explained Apple VP Craig Federighi onstage.
Apple also announced that Safari will try to block advertisers from using browser fingerprinting, which lets them track users who delete their cookies. (All these features involved Safari on Mojave and iOS 12, but there's no indication they won't also be available for earlier Apple OS's.)
Fingerprinting involves using the information that browsers provide web servers about individual devices, including time zones and installed extensions, fonts and ad blockers. Get enough information, and you can identify individual browsers and track them even without tracking cookies.
To combat this, the new Safari will tell web servers only the browser version, operating system, default fonts and generic configurations, making your Mac indistinguishable from many others.
Finally, the new Safari will offer to generate and auto-fill strong passwords and discourage you from using the same password in multiple places. (If you want to save your passwords in more than one browser, try a stand-alone password manager.)
There's no question that these modifications are a good start and may justifiably ease some people's post-Cambridge Analytica fears.
But contrary to what Apple would like you to believe, you can hardly rest easy at this point. For one, as Facebook Chief Security Officer Alex Stamos pointed out on Twitter, the new Safari will still be vulnerable to some other major tracking techniques.
These include tracking pixels, which are tiny invisible images that advertisers can hide in the background of a web page or email message to alert them when you load the content. Safari also won't block sites from using third-party scripts which can also track your browsing.
If this is about protecting privacy, and not just cute virtue signaling, then they should block all 3rd party JS and pixels. — Alex Stamos (@alexstamos) June 4, 2018
If you're worried about your browsing data, Firefox and Chrome may still be your best bets.
Mozilla has begun work on integrating a technology called DNS over HTTPS (DoH) into its browser, a technology which encrypts Domain Name Service (DNS) queries to keep ISPs from receiving them (and crooks from tampering with them). Mozilla has also partnered with Cloudflare, an internet infrastructure company known for high standards of security and a publicly available DNS service.
Google is taking a similar approach with Chrome and Android P as well. Its tool of choice, DNS over TLS, uses a protocol called Transport Layer Security (TLS) to establish a secure channel between clients and DNS servers to prevent snoops from obtaining (and tampering with) them. Chrome also features a native ad blocker, but it stops only ads that Google finds too annoying.
Both browsers also support extensions to increase your privacy and security. NoScript on Firefox makes sure no JavaScript runs without your permission, and ScriptSafe offers similar protection in Chrome. Ghostery lets you detect and block trackers on both Firefox and Chrome.
Image credits: Tom's Guide
- 12 Computer Security Mistakes You’re Probably Making
- 7 Easy Ways to Get Your Identity Stolen
- Best Antivirus Protection for PC, Mac and Android
