Inside Safari 3.2's Anti-Phishing Feature

MacWorld is running a piece from MacJournals.com's for-pay publication detailing how the Safari browser's anti-phishing works. The article takes Apple to task for not thinking enough of its users to bother telling them when Safari sends data off to a third party on their behalf. For it seems that Safari uses the same Google-based anti-phishing technology that Firefox has incorporated since version 2.0, but, unlike Mozilla, tells its users nothing about it. "Even when phrased as friendly to Apple as we can manage, the fact remains that after installing Safari 3.2, your computer is by default downloading lots of information from Google and sending information related to sites you visit back to Google — without telling you, without Apple disclosing the methods, and without any privacy statement from Apple."

Hey - Apple didn't promise anything.

[Petersko]

In Apple's defense, they've never promised to do no evil. Their goal is to instill such unswerving devotion in their customer base that when they actually do some evil, it's here and gone in the news, and nothing has to change.

So far, so good.

Re:Hey - Apple didn't promise anything.

[Gilmoure]

I thought Apple only had 5% of the minions.

Re:Hey - Apple didn't promise anything.

[SanityInAnarchy]

It's actually much simpler: Apple decides things for you.

Good or evil, what's actually going on here is that Apple has decided that the Best User Experience (TM) will be best served by you surrendering personal information to Google -- that the benefit of privacy is far outweighed by the risk of phishing.

Kind of like how Apple decided that the benefits of being able to install any software you want on a device (iPhone) are far outweighed by the risks of you installing something harmful.

And for what it's worth, when you agree with Steve Jobs on the way things should be done, it's actually pretty amazing. Safari isn't a bad browser.

But when you disagree with Steve Jobs, you have no recourse other than to suck it up or stop buying Apple products.

Except the Google service is privacy preserving...

[nweaver]

The google service is designed to minimize privacy leaks. It downloads a coarse-hashcheck database (so Google learns nothing). And then if something hits, it queries a detailed hash.

So unless you get a match on the coarse-hash database, Google learns NOTHING. And google only learns a hash if it matches, which is not very useful, AND google doesn't store this information unless it is a match with their detailed database.

It's Not About Who Sees What

[Petersko]

"The google service is designed to minimize privacy leaks. It downloads a coarse-hashcheck database (so Google learns nothing). And then if something hits, it queries a detailed hash."

The problem is the lack of disclosure.

Re:It's Not About Who Sees What

[AKAImBatman]

The problem is the lack of disclosure.

I'm going to play devil's advocate for a moment and point out that such disclosure is getting harder and harder to comply with. Especially when the web is seen as a collection of cloud services. Should that piracy map viewer posted yesterday disclose to every user that they will connect to Google Maps for map data? Does every website disclose that you are downloading ads from Google or Doubleclick before you visit? Does your favorite web forum notify you that you'll be connecting to Youtube when users post videos?

Those examples convey far more sensitive information than this anti-phishing technology. Yet we don't even bat an eye. In fact, we praise them for such useful extensions to their services. Should web browsers thus play by different rules and be required to notify the user of a non-existent violation of privacy before they do something useful?

I'm not saying that some people don't feel slighted by this. I am saying that the web is evolving in ways that have already made this the norm rather than the exception. If you do feel slighted and wish to be excepted, you're probably going to have to get used to reconfiguring your browser in the same way you install adblock or flashblock.

Re:It's Not About Who Sees What

[RaceProUK]

Don't all Google ad-blocks have 'ads by Google' on them? And I do believe all YouTube videos viewed off-site have the YouTube watermark. Plus, Google Maps mashups tend to have 'Google Maps' in the bottom right corner.

Re:It's Not About Who Sees What

[AKAImBatman]

Don't all Google ad-blocks have 'ads by Google' on them?

Which would be after you give your information to them. Most other ad agencies don't even go as far as that!

And I do believe all YouTube videos viewed off-site have the YouTube watermark. Plus, Google Maps mashups tend to have 'Google Maps' in the bottom right corner.

Same thing. You've already connected to their servers and given up your info. Just because there are logos to promote brand recognition there, doesn't mean that you consented to give up your info to a third party or received disclosure that it was going to happen. Google Maps even goes so far as to give you a Terms of Use link *after* you've engaged their services! *gasp!*

I guess the question for you is: Would you feel better if the antiphishing technology had a "powered by Google" logo on it when it found a dangerous site? If so, I'm sure that's something that Apple would be willing to add. It won't do anything to better protect your privacy, though. It will merely give you a warm and fuzzy feeling.

Re:It's Not About Who Sees What

[Rayeth]

Even learning after the fact is better than not being told that the transaction is taking place at all.

Re:It's Not About Who Sees What

[AKAImBatman]

Glad you feel that way. I'll get a few post-event disclosures out of the way then:

1. Your IP address, browser, operating system, installed plugins, and physical location were logged by Google Analytics as soon as you hit Slashdot.

2. If you don't have adblock installed, your browser contacted doubleclick.net when you visited Slashdot and uploaded the unique id assigned to your browser. If you did not have a unique id, one was assigned to you. Additional information such as the site you are visiting, your browser, your plugins, your geographic location, and other information may have been collected during this transaction.

Hope that helps!

Re:It's Not About Who Sees What

[Low+Ranked+Craig]

The problem is the lack of disclosure. That may be, but the truth is that 99.99% of users in general wouldn't have a clue what to do with that information.

Re:It's Not About Who Sees What

[dwpro]

Unless, of course, you have noscript.

Re:It's Not About Who Sees What

[Lars+T.]

The problem is the lack of disclosure.

Firefox has disclosed jack shit to me. So where's your problem with that?

Re:It's Not About Who Sees What

[Lars+T.]

Will I agree with you that this is a pointless argument I would say the difference between this and the examples you list is that it's an application on my desktop which is sharing the information. Not two website which have no relation to my computer or the information stored therein.

It still think people will complain just because they need something to complain about to get noticed an feel important. They will scream slippery slope and wave there arms never realizing that there is no slope....it's a minefield and we are all wearing rollerskates.

I have the feeling you don't know how a browser works - it's not Slashdot that is sending the data, it's your browser. And if you are so paranoid about your privacy, you shouldn't be using any browser.

Re:It's Not About Who Sees What

[nneonneo]

Firefox+NoScript. Then mark Google Analytics as untrusted to avoid it from telling you it blocked GA. Same thing works for DoubleClick and other advertising/tracking sites.
 
Alternatively, you could add an /etc/hosts file to redirect GA somewhere harmless.

Re:It's Not About Who Sees What

[Lars+T.]

So when Mozilla puts something in the license, they are disclosing it, and when Apple puts it in the EULA, they are hiding it. Thanks for clearing that up.

Data protection act?

[TheRaven64]

I know Apple is based in the USA, with notoriously weak data protection laws, but over on this side of the pond distributing personally-identifiable information to a third party without explicit consent is a criminal offence. I wonder how close to the line this comes, or if it actually crosses it. I wasn't asked to agree to a new version of the EULA when I installed Safari 3.2 (I did it through the terminal, so maybe you are when you use the graphical update client?) and so I haven't even given implicit permission for Apple to tell Google about my browsing habits.

Re:Data protection act?

[negRo_slim]

but over on this side of the pond distributing personally-identifiable information to a third party without explicit consent is a criminal offence.

Sorry I'm less than enthusiastic at your privacy laws considering there's a camera on every corner in your country, watching the citizenry.

Re:Data protection act?

[ChrisA90278]

The key is "personally-identifiable". What Apple is sending is not. They are sending a hash of a page. All they are doing is taking something you just downloaded, scrambling it up and sending it back to the web.

If you are truly worried about people finding out what sites you are browsing then you need to worry a LOT about DNS servers. DNS server know your IP address and the name of every site you click. How would you know if the DNS server is logging your queries?

Slightly OT, but this steams me

[hellfire]

Remember, the people who designed the Internet (incorrectly) assumed that all computers on the network would be trustworthy, so the rules are pretty loose.

C'mon, Macworld is better than this. Okay, the article is critically reviewing the anti-phishing feature, but the writer seems to have a bone to pick and in order to post an emotionally charged article, takes things one step too far.

The internet was intentionally designed, itself, not to have a centralized authorizing body for each and every PC and server on the planet. It's decentralized on purpose. When a so called journalist writes something like this, I have a problem, because to me it's just pandering to the security freaks. It's a bit off topic, but I also have a problem reading the rest of the article because it makes it hard to trust what the guy has to say. There's probably good facts in the article, and if there's a problem Apple should be criticized, but I can't possibly continue reading when I see something stupid like this.

Re:So...

[ttlgDaveh]

First off, because it drives me nuts, it is "couldn't care less". (Cue picking on grammar errors in this post. Maybe I'll drop a couple in intentionally!)

Secondly there is adblock (and flashblock) for Safari in the form or SafariBlock, or if you don't care for Input Managers there's always things like GlimmerBlocker which is a local HTTP Proxy which will block ads (and flash and do other fancy things) across the whole system and not just one browser.

Re:Except the Google service is privacy preserving

[asa]

You've got it backwards. There is no longer an option to check as you browse and the check against the local list has always been the default.

It's not that hard to write a clear privacy policy

[Animats]

Our AdRater plug-in has similar privacy issues. It's a plug-in that "phones home" to get information about the advertisers whose ads appear on a site. Here's what we tell users:

AdRater "phones home", but tells us as little as possible. AdRater sends the domain name associated with each advertisement you see to SiteTruth. Thus, we can tell what advertisers have reached you, but cannot tell what web pages you have been viewing. We can't tell if you click on an ad. AdRater does not use "cookies" or any other user identifiable information other than your current IP address.

If we change any of this, the changes will not take effect until you download and install a new version of AdRater.

AdRater does not rate ads on secure pages, so no information about a secure page is ever sent to our servers.

Now that wasn't hard, was it?

For really technical users, we publish the API AdRater uses, so you can check to see that we're telling the truth about what data goes back and forth.

Re:Haven't upgraded...

[supadjg]

Have you tried SafariBlock? http://fsbsoftware.com/index.html Works pretty well for me.

I don't "love" a company

[argent]

A lot of you seem to love Apple

I use Safari because it's well integrated with OS X. Firefox isn't, and Camino (which I use by preference) has a couple of bugs that are supposed to be fixed Real Soon Now that make it lock up behind a proxy and don't let me disable Apple's stupid insecurity dialogs.

I also use Safari and Camino because they don't use XUL the way Firefox does. I don't trust the security model for XUL nor the technique Firefox uses for the XUL installer, XPI. And in fact there's been at least one XPI-related vulnerability (quickly patched, but it shows that the class of problems I'm concerned about are real).

This doesn't mean I love Apple, or that I think the folks on the Camino team are cooler than the ones on the Mozilla team. This just means I'm more interested in the best tool for the job than where it comes from.

Re:I don't "love" a company

[argent]

Webkit's really not Cocoa, but I guess it's not politically correct to say that it's Carbon. :)

Integration with OS X is a lot easier for Cocoa applications, of course. It's harder if you're using code not written in Objective C, as Safari and Camino both do (Webkit and Gecko), but it's certainly possible... as both Safari and Camino demonstrate.

Safari and Camino use the keychain for passwords. Firefox doesn't.
Safari and Camino use the OS X proxy settings. Firefox doesn't.
Safari and Camino integrate with Services fully. Firefox doesn't.

Safari and Camino are well integrated with OS X. Firefox isn't.

Re:So why use it?

[bledri]

Just use Firefox and be done with it...

Um, you realize that Firefox uses the exact same anti-phishing technology, right? If you prefer Firefox, that's great but as far as this particular issue goes the difference is disclosure, not implementation. I like Firefox, but Safari is faster and less of a CPU and memory hog on OS X in my experience. And the integration is better - so I'll stick with Safari (although I skipped 3.2 because of all the crash complaints and I use FF for serious HTML/DOM/JavaScript hacking.)

I fail to see how this is a big deal

[$criptah]

I fail to see how this is a big deal. Did you read the article? If so, you would not panic as well.

First of all, everything is transported in hashes. You do not compare the actual URLs that customers visit, only the hashes. Google has no actual links that indicate the banks that you use and the pr0n sites you have browsed. Only hashes.

Also, this is a configurable option. Apple does not force you to use Google. Apple does not force you to use this feature. I think it would be easier if Apple has explained this feature in the release notes to a greater extent and if users had to accept some sort of a license agreement when enabling this feature. Nothing else beyond it.

Re:So why use it?

[SanityInAnarchy]

Read TFA -- or at least TFS, FFS.

This article is about an anti-phishing feature in Safari that compromises your privacy.

Your solution is to switch to Firefox, which has the exact same feature enabled by default.

Aside from sheer Firefox fanboyism, what's your point?

Re:It's not that hard to write a clear privacy pol

[SanityInAnarchy]

It does, however, present it in a non-technical way first:

AdRater "phones home", but tells us as little as possible.

For many users, that says it all.

AdRater sends the domain name associated with each advertisement you see to SiteTruth.

A domain name is pretty common knowledge. Even if it isn't, now you know some information is going to something called SiteTruth.

Thus, we can tell what advertisers have reached you, but cannot tell what web pages you have been viewing. We can't tell if you click on an ad.

Again, non-technical.

It seems like a non-technical user could read this and understand enough to decide whether or not they need to care -- and if they need to care, they can ask for help understanding it. Us technical users are grateful that all the relevant information about IP addresses, domain names, and cookies are all right there, so we don't have to go digging for clues as to what the "non-technical" marketspeak might mean.

leopard version of /etc/hosts

[adavies42]

to repeat what i said on the macworld article's comment board,

sudo dscl localhost -create /Local/Default/Hosts/safebrowsing.clients.google.com IPAddress 127.0.0.1

(or do the obvious with /etc/hosts if you're still running tiger (not that i know if safari 3.2 is available for tiger....))