Security Bits Logo no alpha channel

Security Bits — 5 Feb 2022

Feedback & Followups

Deep Dive 1 — Meet Topics, the new FLoC

Last March Google announced Federated Learning of Cohorts as their proposed replacement for tracking cookies. We dug into the detail in a Security Medium on the 7th of March 2021, but the TL;DR is that it was problematic from a privacy point of view, and unlikely to succeed because it required all the browser vendors to get on board an implement the protocol too. That didn’t happen.

The idea of FLoC was that your browser would watch where you surf, then group you into cohorts of other people who surfed to similar sites and give that group an ID that could be used for ad tracking. Instead of targeting individuals, advertisers would be targeting learned groups of similar people. The fact that the groupings were learned meant they could prove very sensitive indeed — collecting people by race, gender identity, sexuality, illness, addiction, anything.

Topics turns the logic around, instead of trying to learn similar people and giving the people an ID, Google will define a taxonomy of safe topics of interest, and then assign people to those topics on a rolling basis. As your surf, your weekly browsing habits get boiled down into a handful of topics, and the previous three weeks’ worth of topics will be used to present information about you to advertisers. Each website will be presented with a randomly chosen but sticky sub-set of your topics, and to add some noise and plausible deniability, 5% of the time a totally random topic will be added to the list. The algorithm is designed to ensure the topics API can’t be used to fingerprint users.

So, from a privacy POV Topics is much better than FLoC (and astronomically better than tracking cookies!).

But, this is still the browser tracking users to facilitate ads, so, Topics depends on other browsers adopting it. Will they? Personally, I doubt it.

There’s another significant problem IMO — because of how the fingerprint-prevention is implemented, the bigger your ad network, the more data you get from the Topics API, so Topics gives a clear advantage to larger ad networks over smaller ones. As Gruber put it, “this is a solution by Google for Google”.


Deep Dive 2 — Apple Makes SMS-based 2FA a Little Less Bad

Last year Apple released an open-source spec to add computer-readable context to 2FA text messages.

For some time now, Apple have had an excellent feature where numbers in the most recent SMS message are automatically offered as an auto-complete suggestion when entering 2FA codes into apps or websites. This is spectacularly convenient, but, that convenience comes with a nasty security sting in the tail — Apple have no idea whether the user is entering the code into the app or site it was intended for, or if they are being phished! Real-time phishing is a thing these days — the bad guys set up a malicious clone of a real site that uses SMS 2FA, and when the user enters their username and password it forwards those on to the real site, triggering the real site to send an SMS message with the code. The fake site presents the user with a box to type in the code, and if they do, forwards it to the real site, letting the attackers in.

The obvious defence here is to always check the domain name of the page you’re entering your credentials into, but not everyone does that, and the fact that Apple very conveniently offers the code as an auto-complete on the phishing site makes the whole process quicker, so there’s less time for the user to notice they’re not where they think they are.

Apple figured it would be great if the SMS messages with the code could tell the OS what site or app they are from, so they could be offered to the user only when appropriate. For that to work there’d need to be an agreed standard structure for the SMS messages. That’s what Apple published last year, and it’s nice and simple.

Each SMS message would have the following parts (I’ve copied these descriptions from the linked iMore article):

  1. A standard human-readable message, including the code, followed by a new line.
  2. The scoped domain as @domain.tld.
  3. The code repeated again as #123456.
  4. If the site uses an embedded HTML element, called an iframe, the source of the iframe is listed after %, such as %ecommerce.example.

Sites are now starting to adopt this standard, and, Apple have added support for it to the most recent releases of iOS, iPadOS & macOS, so, if you’re using a fully up-to-date Apple OS, and you use SMS-based 2FA on a site that supports the new format, you’ll only be presented with the auto-complete suggestion if you really are on the right page, or in the right app.

This makes entering SMS-based 2FA codes a little safer, but it does nothing to address the underlying problem that SMS itself is not a secure or reliable protocol!.

So, it still remains true that SMS 2FA is better than no 2FA, but just about any other 2FA is better than SMS-based 2FA!


Deep Dive 3 — US Federal Government Issues “Zero-Trust” Memo (by Allison)

The US Office and Management and Budget has released a memo advising the Federal Government on how to improve cybersecurity. The memo is very forward-leading which is honestly surprising for a government agency.

Key points outlined by BastionZero include:

  • Elimination of rotating passwords and passwords with special characters
  • Dropping use of SMS and phone verification for 2FA, but also getting rid of authenticator app-based 2FA. Instead, it recommends authenticator devices like Yubikey.
    • This would require the agencies or companies to push device certs to authenticate, which evidently would require inventory of users’ devices. This is problematic in the BYOD world
  • VPNs aren’t recommended either, rather authenticating people to specific services instead of the entire network
  • The memo mandates encrypted HTTP, and also encrypted DNS.
  • In perhaps the most surprising section, the memo recommends welcoming external partners and independent parties to test their vulnerabilities. This is in stark contrast with the Computer Fraud and Abuse Act which can criminalize those who exceed authorized access.


❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

Excellent Explainers

Interesting Insights

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top