Security Bits Logo no alpha channel

Security Bits — 13 June 2021

Feedback & Followups

Deep Dive 1 — 🧯Don’t Panic About Amazon Sidewalk

A lot of the tech press got all hot and bothered about the launch of Amazon’s Sidewalk mesh network, but none of the articles made a compelling fact-based case for their dire warnings, probably because there is no factual basis for those warnings|! The closest to a good argument I’ve seen comes from Ars Technica, and it basically boils down to “it’s possible they made a mistake and the excellent security and privacy they designed in will have a bug”. That’s literally a logical fallacy — appeal to possibility!

Also, Amazon Sidewalk is not ‘sharing your internet connection’ any more than Apple’s Find My Network is — it’s purely a messaging protocol, allowing devices to send and receive messages when they’re out of wifi range. In fact, in terms of overall design, security, and privacy, it’s basically the same as Apple’s Find My network.

For me, the key point is that you can only be included in this network if you have Amazon devices. Amazon devices themselves offer their users much less privacy than Sidewalk does, so if you trust Amazon enough to use their products, why wouldn’t you trust their much more private Sidewalk network‽ IMO using Amazon devices but hyperventilating about Sidewalk is like trusting your bank’s safety deposit box to protect your gold ingot, but not their most secure vault to protect your spare house key!

You don’t need to take my word for it — Steve Gibson did a deep-dive into Sidewalk a few months ago, and found it to be extremely well designed, and he reiterated that in recent shows.

Links

Deep Dive 2 — Apple Buried the Lead With Private Relay!

Apple are getting a lot of press with the Private Relay feature they announced at their World Wide Developer Conference (WWDC) this week, but a lot of the press is missing the point.

Let’s cut straight to the chase here and say Private Relay is not a VPN. It’s not trying to be a VPN, Apple didn’t describe it as a VPN, it doesn’t behave like a VPN — it’s not a VPN! In fact, it explicitly keeps its hands off VPN traffic.

As soon as I heard the two server description I recognised it — that’s how Oblivious DNS Over HTTPS (ODoH) works, and Apple is one of the companies who helped develop that nascent standard. We described ODoH in detail back in December on this very segment! (www.podfeet.com/…)

Private Relay is ** system-wide** ODoH with a very impressive bonus-extra — secure web proxying for all Safari browsing and most HTTP traffic from most apps.

A very quick recap of why ODoH really matters:
1. All apps use DNS to convert domain names to IP addresses, so DNS traffic is extremely revealing — it doesn’t just show what you do on the web, it shows just about everything you do on the internet!
2. The DNS protocol is ancient, and it’s a privacy train-wreck, it’s all in plain text!
3. DNS over HTTPS (DoH) and its cousin DNS over TLS went a long way towards offering a solution by simply wrapping DNS queries in a layer of encryption as they go from your computer to your chosen DNS server (DNS resolver if you want to be pedantic)
4. With DoH etc. you still have to trust your DNS server — they see everything!
5. By adding a trusted third party, ODoH solved that last problem — your DNS server sees that it’s you asking questions, but can’t see what it is you are asking, and the third party sees what you are asking, but not who you are, so no one in the chain has all the pieces, hence, privacy by design!

The H in ODoH stands for HTTPS, so an ODoH system is already designed to handle HTTPS traffic, why not route web requests through it as well as DNS requests? The only reason would be capacity really — DNS traffic is small, web traffic, not so much! Well, it seems Apple have decided to open their proverbial wallets and added sufficient resources to their system to deal with web traffic as well as DNS queries.

The final piece of the puzzle is a clever little final addition by Apple — they are routing insecure HTTP traffic through this new infrastructure too, effectively upgrading the connection to HTTPS for the most dangerous part of its journey.

When you visit an unsecured website (i.e. an HTTP URL), the request your browser sends to the server and the server’s reply travel all the way across the internet unencrypted. That means they pass through your local network, your ISP, the internet backbone, and the server’s local network unencrypted. The two most dangerous legs of that journey are your local network when you’re not at home and your ISP’s network.

Apple can’t secure your insecure web browsing all the way to the server because if the server supported HTTPS you wouldn’t have this problem! What Apple can do though is secure the first two legs of that journey — your local network and your ISP. With Secure Relay, HTTP traffic is wrapped in HTTPS on your iPhone/iPad/Mac, passes through your local network as HTTPS, passes through your ISP as HTTPS, arrives at Apple’s ingress proxy as HTTPS, gets passed to the trusted third party’s egress proxy as HTTPS, before finally emerging onto the internet backbone as plain old HTTP (and the reverse happens the reply). The effect is that the plain-text HTTP traffic is encrypted as it moves through your network and your ISP’s network, denying fellow coffee shop visitors and ISPs the chance to snoop on you and invade your privacy, or inject ads or malware into the replies!

Bottom Line — What is Private Relay giving us?

  1. OS-wide ODoH (I’d pay for iCloud just for that!)
  2. ODoH-style secure & private relaying of all web traffic from Safari
  3. ODoH-style privacy and a little extra security for most HTTP traffic in most apps (way too many weeds here to wade into them now)

Links

❗ Action Alerts

Worthy Warnings

Notable News

  • Internal documents released as part of an Arizona court case show Google actively tested changes to their privacy settings so as to make them as hard to find and use as they could legally get away with, and used A-B testing to measure the effect this dark pattern had on the number of users who turned off location tracking — daringfireball.net/…
    • Editorial by Bart: This is what being evil looks like — skilled engineers turning their considerable talent to the task of discouraging users from protecting their privacy so as to bolster corporate profits.
    • Related: Google are kinda-sorta following Apple’s ATT lead — later this year Android users will be able to opt out of Google’s ID for advertisers (Apple’s system is opt-in to allow tracking, which is a big difference) — www.imore.com/…
  • 🇦🇺 🇺🇸 🇪🇺 ‘Operation Trojan Shield’ – the Australian Federal Police collaborated with the FBI and Europol to infiltrate some of the highest levels of international crime organisation by distributing a booby-trapped encrypted messenger app. The operation came to a head this week with simultaneous raids in 16 countries leading to over 800 arrests — www.independent.ie/…
  • 🇺🇸 The US Supreme Court has narrowed the interpretation of the Computer Fraud and Abuse Actwww.nbcnews.com/…
    • Editorial by Bart: this is a really big deal IMO, the CFAA is one of the most abused laws in the US, allowing prosecutors to convert a violation of a TOS you probably never read into a felony charge of hacking!
  • Apple will continue to provide security updates for iOS 14 after iOS 15 launches, and users will have a toggle in their update settings to prevent an automatic update to the next major version — www.imore.com/…

Palate Cleansers

  • Bart: 🎧 This is the preview episode for a podcast mini-series I think many Nosillacastaways will enjoy: Blind Guy Travels: Meet Your Guide — overcast.fm/…
  • Bart: 🎦 An excellent preview of the post-password utopia Apple is working towards. The first half is the best explanation I’ve seen anywhere of Webauthn — developer.apple.com/…
  • Allison: Dave Hay posted in our Slack an 11-year old XKCD comic in sympathy to Sandy’s frustration with her latest AppleCare experience. xkcd.com/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published.

Scroll to top