Security Bits Logo

Security Bits – 15 June 2019

Followups

  • 🇺🇸 🇮🇳 Thanks to a letter sent to Facebook by US Senator Richard Blumenthal we now know that Facebook’s controversial VPN tracking app collected data on 187K users, and that 31K of those were in the US, and 4.3K of those were teens. The remaining users were in India — nakedsecurity.sophos.com/…

Security Medium — Sign in with Apple

Privacy was a strong focus throughout Apple’s recent WWDC keynote, and all their up-coming OS updates will be crammed with interesting new security and privacy features. As a general rule, we prefer to talk about things that are actually released in this segment, so we’ll keep our powder dry on the vast majority of the updates until the new OSes are released in a few months.

One announcement stood out above all the other though, because it’s not an evolutionary improvement or enhancement, but a whole new departure for Apple, and that’s Sign in with Apple.

What is it?

Starting in the Fall Apple will offer a centralised mechanism for logging in to participating apps and websites via Apple. They will act as an identity provider. Apple will verify that the person trying to log in really is you, and then cryptographically vouch for you to the site or app you are trying to access.

You’ve seen this model before in the for of those ever-present sign in with <INSERT SOCIAL MEDIA NETWORK HERE> buttons.

Apple will only provide the service to users with 2FA, and will vouch for two things — that the user is who they say they are, and, the level of confidence Apple have that the user is a human and not a bot.

When you use the service you will be asked to confirm the information Apple give to the app/service. The most Apple will share is your name and email address, and you get to alter the name to anything you like, and you get the option to mask your email address with a per-service anonymous burner address that Apple will forward to your real address. You can disable these burner addresses any time you like.

Finally, any iOS app that offers third-party logins will be required to also offer Sign in with Apple.

Background

For over a decade now there has been a strong desire to deal with the proliferation of passwords everywhere by consolidating our trust into a central identity provider who can vouch for us anywhere we need to authenticate ourselves. The big hope was the free and open OpenID protocol, but that just hasn’t taken off. Why? Impossible to know for sure, but for what it’s worth, my theory is that it was crowded out by OAuth and those all-pervasive sign in with *<INSERT SOCIAL MEDIA NETWORK HERE> buttons.

OpenID is a charitable foundation, so it has never focused on making money, but Yahoo!, Facebook, Google & Twitter saw an immense opportunity in becoming a central identity provider for as many of their users as possible. If your business is to build profiles of people and use those profiles to sell user attention to advertisers, then knowing every site the user logs into is obviously immensely valuable!

So, for those of us who value our privacy more than we get cranky about the inconvenience of having to make stand-alone-accounts all over the place, we’ve opted to solve the password problem with password manager rather than identity providers.

It’s All About Trust

Central identity providers are ubiquitous in the corporate world. If you have Azure Active Directory from Microsoft you can use your traditional domain credentials to authenticate against corporate-owned cloud apps from all sorts of vendors.

You’ll also find centralised identity providers in ubiquitous use in education — many schools and universities have Office365 or GSuite and use their OAuth implementations to authenticate students to all sorts of apps with a single set of credentials. There are even global federated identity providers used to allow staff and students from one university to log in to facilities provided by another (eduGAIN & eduroamare prefect examples).

Why do identity providers work in the corporate and education worlds, but not in our persona lives? Simple — they are under the direct control of the organisations who’s users they provide identity for, so there is inherent trust. If I work for Bartificer Widgets then of course I trust their central identiy provider to authenticate me to the services they provide me in order to facilitate the work I do for them in exchange for my salary! The same applies if I am a student paying BartificerU for a good education — of course I trust BartificerU to authenticate me to the Virtual Learning Envirnment where I get my lecture notes, and of course I trust them to authenticate me to free wifi at any educational institution in the world that supports eduroam, and of course I trust them to authenticate me to the journal papers and ebooks I need for my studies via eduGAIN!

The issue with the Log in with XXX buttons is that to use them, we must implicitly trust the identity provider powering them! It is impossible to act as an identity provider without communicating with the sites your user is trying to authenticate to. The service requires the provider to know these things every bit as much as doctoring requires doctors to know things about their patients, and mechanics to see under the hoods of people’s cars. You can’t have an identity provider without them knowing where you authenticate!

If you want a convenience that you cannot have without placing your trust in a provider, then you have to choose which provider you trust most. You can’t not trust, your only choice is who to trust!

Follow the Money!

I feel like a stuck record, but it always comes back to the same thing — do the incentives acting on the company who’s offering me a service align with my best interests? It all comes back to business models!

The three most popular identity providers out there are Facebook, Google, and Twitter. All three of them share a business model where their users are not their customers. All three of them give their users free services in exchange for tracking them more thoroughly than any authoritarian state has ever been able to do so they can build up a detailed profile of each user that they can use to sell those users eyeballs to their customers, advertisers.

The reason this announcement from Apple is interesting is because their business model is very different, so their incentives align differently with their users interests. Apple sell products and services to their users, so their users are their customers. That means Apple is incentivised not to exploit the inherent trust that users have to place in an identity provider.

There is a very obvious downside to Apple’s approach — you have to pay them!

You always have to pay! You can choose to pay with your data, or your wallet, but pay you shall!

There is no Universal Answer

There is no absolute right and wrong choice here. It all comes down to your personal priorities. Do you value the convenience of a central identity provider enough to pay for it in any way at all? And if so, would you prefer to pay with your privacy or your money?

Depending on how you answer those questions, you’ll come to very different decisions on whether to use any of these buttons at all, and if you do, which ones.

How are all the Various Parties Effected?

Developers get to write apps that allow user logins without the need to spend time coding a username and password management system, and without the need to worry about verifying that users really are human. Developers also don’t need to secure user data, because they can’t lose what they don’t have!

Developers who already use 3rd-party login buttons have to add a new service. I’ve read the docs and the APIs are wonderfully simple and easy to implement, but, it’s work, and since Apple don’t want to track people, there will be no kick-backs from Apple in exchange for user data, so there will be no direct financial reward like there could be from companies like Facebook who often do deals in exchange for data. This are the only party I see with no obvious gains from this new development.

Users who trust Apple get to have a frictionless way of authenticating to apps and services relatively anonymously.

Apple get to say they offer their customers this nice privacy as a service feature.

Finally, Facebook, Google, etc. are not directly affected because they are not third parties to themselves. They will not have to add Sign in with Apple buttons to their apps.

Side Note: Anonymous Email Forwarding Also Involves Trust

It is certainly true that you can make your own burner email addresses, but it’s a lot of hassle to do that each time you want to try some new app or service that needs an account.

Apple are offering real convenience with their per-app anonymised forwarding service. However, it is unavoidable that Apple’s servers have to process all the mail that comes through those anonymised forwarders, so, using them inevitably involves placing trust in Apple.

Personal Soap Box (Bart) — Allison, OK to delete if you prefer

“Apple could <INSERT EVIL PRIVACY VIOLATING THING HERE> some day in the future” is not an argument IMO! Companies do their best not to harm their own interests, so unless you can explain to me why Apple would be incentivised to do a complete U-turn on privacy I’m not interested in hearing your conspiratorial nonsense! I see no reason to assume Apple will become corporately suicidal any time soon!

Links

Notable Security Updates

Notable News

  • Yubico recalls government-grade security keys due to bug — www.engadget.com/…
  • Microsoft are warning users against running un-patched versions of Office because they have seen a spike in real-world attacks against a bug that was patched in 2017 — nakedsecurity.sophos.com/…
  • YouTube announced improved protections for kids on their platform. Kids must now be accompanied by and adult while live streaming, comments will be disabled on video featuring kids, and kids will not receive recommendations for videos that show kids in risky situations — youtube.googleblog.com/… & nakedsecurity.sophos.com/…
  • Apple have tightened their rules on advertising and tracking within apps targeted at kids. Previously only behavioural ads were banned, now all third-party ads and analytics are banned — nakedsecurity.sophos.com/…
  • FireFox version 67 come with notable security and privacy improvements including Advanced Tracking Protection, a feature for sandboxing Facebook so it can’t track you around the web, an updated cloud-based integrated password manager now renamed to Lockwise (it was Lockbox and is available as a desktop browser plugin, iOS app and Android app), and improvements to FireFox Monitor (integration with have I been pwned) — nakedsecurity.sophos.com/…
  • 🇺🇸 🌎 Foreigners applying for a US visa will now have to provide 5 years worth of social media usernames on their applications. Note that only the usernames are being requested, not the passwords. Civil liberties groups are arguing that this new policy is both invasive and ineffective, and open to obvious abuses — nakedsecurity.sophos.com/…
  • 🇬🇧 The Investigatory Powers Commissioner (a government watchdog) rules that MI5 (Britain’s domestic intelligence service) showed a “historical lack of compliance” with Britain’s Investigatory Powers Act (better known as the snooper’s charter), and that he was applying “special measures”, meaning the agency will be under extra scrutiny each time it applies for a warrant — www.bbc.co.uk/…

Suggested Reading

Suggested Listening

Palate Cleansers

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Leave a Reply

Your email address will not be published.

Scroll to top