Deep Dive 1 — Opera’s ‘VPN’ is Useful but Poorly Named
Opera made some news by expanding out their free in-browser security feature they call a VPN to iOS, this makes the feature truly cross-platform, covering Windows, Mac, Android, and now iOS. This news triggered me to look into the feature before linking to the story, because the name implies this is a VPN service, and that simply toggling a button in the app’s settings will magically protect you like a true VPN does — it does not!
I was deeply suspicious, but it took quite a bit of sleuthing to get a proper understanding of what’s going on, because almost every news story just slightly re-phrased the official press release, without adding context, detail, or frankly, value.
Aside/Rant: my hunt for details was an eye-opening experience from which I’ve concluded that a lot of so-called ‘journalists’ are very likely to be replaced by Chat GPT soon, because they’re already useless insight-free noise!
I had two concerns:
- Opera are a for-profit company, how are are they offering a free VPN service that they claim respects privacy?
- How could it be technically possible for a browser to contain a true VPN?
The few good articles I found on the topic all addressed the ‘follow the money’ question, and this excerpt from TechCrunch summarises the company’s response to the question well:
“The company is able to offer free tools to end users because it generates revenue through other channels, including search and ad revenues, as well as technology licensing fees. It’s projecting $370 – $390 million in revenues for 2023, for instance.” — Tech Crunch
Tech Crunch then goes on to point out that despite the company being headquartered in Oslo (Norway), and GDPR compliant, there is some concern over the fact that there are significant Chinese shareholders. Given their HQ is in Oslo I think they’re probably safe from formal CCP (Chinese Communist Party) interference (I’m sure they’re being targeted by espionage just like every other major company in the world!)
But what about the tech? Honestly, I think it’s disgraceful that the company are using a technical term with a real technical meaning to describe a service that does not meet that technical meaning at all. If you just look at the non-jargon plain-English definitions of the word you can sorta-kinda stretch them to cover what the product does, but I can’t honestly describe this as anything less than misleading. This ‘VPN’ service does not use any VPN protocols!
A true VPN is a low-level networking concept where a virtual network interface is added to the OS — it looks as if you added an extra ethernet or wifi card! But instead of being a hardware device, this network interface uses software to wrap all the traffic routed through it in strong encryption, and then sends the encrypted packets over the internet to another computer somewhere else in the world where the reverse happens.
What Opera is doing is different, it is using a TLS (basically HTTPS) connection from the browser app to their server to send the browsers DNS & HTTP(S) requests to Opera servers, which then forwards them out to the internet. This means it is the browser’s traffic that is encrypted and only the browser’s traffic that is encrypted.
While the technology is not the same, functionally, this is equivalent to Apple’s Safe Browsing feature in iCloud Plus, but because they are marketing it as a VPN, it sounds like it does more. The difference is that Apple’s branding is honest, while Opera’s is misleading!
Best-case, this is just marketing peeps getting away with too much, but it leaves a really bad taste in my mouth. As I see it, either management are ignorant, spineless, or dishonest, and none of those options are good enough IMO, so I will not be recommending this to anyone.
- Opera brings its free VPN to iOS to rival Apple and Google’s paid alternatives — techcrunch.com/…
- Opera Brings Free VPN to iOS, But We Still Can’t Recommend It — techweez.com/…
Deep Dive 2 — What’s Apple’s (Relatively) New ‘Rapid Security Response’ Feature?
Note: This segment is a special request from Allison, who came across a feature she didn’t recognise on a popular Apple fan site, and asked that I explain it on the show.
At last summer’s WWDC Apple announced an up-coming improvement to how they would handle critical security updates, which they branded Rapid Security Response. However, it was one of those features they promised would be coming ‘later’, rather than shipping with the initial releases of macOS 13 & iOS 16. I made a mental note to myself that we needed to talk about Rapid Security Response on this segment when it went live, but we never did. Why? Because new of it’s launch with macOS 13.2 and iOS 16.2 in January 2023 got drowned out by the more dramatic advanced iCloud protections that also went live with those releases.
So, what changed in January? To understand that, let’s remind our selves about how things worked before January.
OS updates contained a mix of feature releases, bug fixes, and security patches. Automatic software updates were not just supported, but positively encouraged, with Apple nudging users towards turning them on. But, even with automatic updates on, most people’s devices didn’t get updated straight away, Apple intentionally staggered the updates over multiple weeks, starting with a small cohort of devices, then ramping up as it became clearer the updates were free from unintended side-effects. This is absolutely fine for new features, and acceptable for bug fixes, but it’s not nearly good enough for security updates.
What Apple have done now is split the important security updates out into a completely different mechanism, designed to deliver small targeted security fixes quickly, without delay. Because the changes are tightly focuses on fixing specific security vulnerabilities they are much less likely to break things, and of course, they’re much smaller, so there’s no need to wait for the device to have a good internet connection before starting the automated download. Also, because they will be more tightly focused, Apple can avoid the need for reboots most of the time.
The feature us on by default, so you don’t have to do anything to benefit from this enhanced protection. Just know that since January, Apple’s latest OSes are just that little bit easier to keep secure 🙂
- The article that piqued Allison’s interest: Apple’s separation of security and features – a game-changer for device security — 9to5mac.com/…
- A good overview of the feature: What is Apple Rapid Security Response update, and how to enable it? — www.igeeksblog.com/…
❗ Action Alerts
- Apple issues emergency patches for spyware-style 0-day exploits – update now! — nakedsecurity.sophos.com/… & iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 Address Serious Security Vulnerabilities, Fix Bugs — tidbits.com/…
- Apple zero-day spyware patches extended to cover older Macs, iPhones and iPads — nakedsecurity.sophos.com/…, Apple issues iOS 15.7.5, iPadOS 15.7.5, macOS Monterey, Big Sur security updates — appleinsider.com/… & Safari 16.4.1 — tidbits.com/…
- Apple rolls out tvOS 16.4.1 and HomePod software version 16.4.1 — appleinsider.com/…
- Patch Tuesday: Microsoft fixes a zero-day, and two curious bugs that take the Secure out of Secure Boot — nakedsecurity.sophos.com/…
- Twitter Circle tweets are not that private anymore — techcrunch.com/… (Editorial by Bart: my advice is to just assume everything you type into Twitter is probably gonna leak at some stage, even your DMs!)
- Owners of Nexx IoT devices (including garage door openers and alarm systems!) need to be aware that the products have catastrophic security design flaws — nakedsecurity.sophos.com/…
- 🇺🇸 Official Advisory from the US Cybersecurity & Infrastructure Security Agency (CISA) — www.cisa.gov/…
- 🇺🇸 eFile tax website served malware to visitors for weeks — appleinsider.com/… (Officially authorised by the IRS!)
- Attention gamers! Motherboard maker MSI admits to breach, issues “rogue firmware” alert — nakedsecurity.sophos.com/… (It’s possible they’ve lost their private keys, so don’t rely on digital signatures to verify files — follow MSI’s advice and only install drivers downloaded directly from their official)
- Customers still can’t access My Cloud data after Western Digital hack fallout — appleinsider.com/… (WD still investigating, so not clear yet how bad this is)
- Citizen Lab have released findings highlighting the existence of another NSO Group-like grey-hat security firm in Israel selling Pagasus-like spyware to governments around the world, this time it’s Reign by QuaDream — appleinsider.com/…
- The US Government has re-issued its previous PSA reminding people to avoid plugging their phone into other people’s chargers. There’s no actual new info in the PSA, and nothing has actually happened, but for some reason this mundane PSA triggered a wave of news stories as if there had suddenly been a surge in attacks or something like that: Why is ‘Juice Jacking’ Suddenly Back in the News? — krebsonsecurity.com/…
- Good advice to bookmark and share with friends & family: 6 ways to avoid ‘juice jacking’ at public iPhone charging stations — www.cultofmac.com/…
- Some impressive Math nerdery you can get as a cookie cutter: Einstein tilings – the amazing “Hat” shape that never repeats! — nakedsecurity.sophos.com/…
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
|A link to audio content, probably a podcast.
|A call to action.
|The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
|A link to graphical content, probably a chart, graph, or diagram.
|A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
|A link to an article behind a paywall.
|A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
|A tip of the hat to thank a member of the community for bringing the story to our attention.