[O__________O]

How would Apple counter fingerprinting?

Already pointed out this issues in a prior point here 14-days ago:

https://news.ycombinator.com/item?id=32006436

From that comment: “If Apple is logging if this feature is on and sending it back to Apple, it will result in targeting from nation states even if this feature is “invincible” - which I have no reason it is; basically, nation states demand list of users subject to its jurisdiction.”

Obviously there are likely other ways to fingerprint Apple devices with lockdown mode on, but to me, at the point you need “lockdown mode” likely should realize the doing so will likely make you more of a target.

[nneonneo]

I think one reason to make this feature public is to get more people to use it, and therefore dilute Lockdown Mode as a signal. As you say, it’s pretty easy for an attacker to detect this mode: with a browser, just check that the Safari version is high enough but that certain features are not available. If even 1% of iPhone users are using Lockdown mode, it’ll far exceed the number of people who really need the feature to stay ahead of nation-state targeting.

[Syonyk]

This would be another good reason for "lots of random people to use it," certainly - same as Tor.

[O__________O]

Using Tor is legal justification for a warrant to remotely hack systems using it:

https://www.nolo.com/legal-encyclopedia/what-does-rule-41-sa...

As such, highly likely most systems running Tor nodes have been hacked and that Tor is not secure.

Very possible lockdown mode might be as well a legal justification for a warrant, given it “conceals” systems.

[O__________O]

Issues is automatically targeting users would be easy.

If Apple tracks users that have both lockdown mode and iCloud on, all a nation state with jurisdiction has to do is request list of users with both on; having lockdown mode on might even qualify as justification for a search warrant and legally hack anyone using it, which is already the case for Tor:

https://www.nolo.com/legal-encyclopedia/what-does-rule-41-sa...

Find it horrifying that Apple has this feature, but makes no effort to inform users about the risks of iCloud; in my opinion, if you have lockdown mode on, iCloud should not be option, should trigger an off boarding from iCloud and wiping of any data on iCloud; also pointed this out in comments here:

https://news.ycombinator.com/item?id=32006436

To me, as is, lockdown mode sounds like a honeypot:

https://en.m.wikipedia.org/wiki/Honeypot_(computing)

[derefr]

I think people here are misinterpreting the point of this feature. This isn't a feature for people to gain privacy against the nation-state they reside within the legal boundaries of.

The point of this feature, is to protect you, who live and are an upstanding citizen of [a country that is in the same vague "Western" political network as Apple itself] — but who have something that other nation-states want, like trade secrets — from APTs launched across the internet by cyber-privateers tacitly sponsored by those other nation-states.

Under such a threat model, who cares if Apple has your fingerprint, and if the US government can get said fingerprint? If you're a US citizen and in this situation, the US government probably very likely already have a close working relationship with you, having likely tasked the NSA to work closely with you to ensure that your "key industry" company doesn't suffer any GDP-damaging attacks.

[mrex]

Ways to counter fingerprinting:

Offer a spoof mode, make the Lockdown mode browser look to external websites like it isn't in Lockdown mode. Tricky but doable with some site breakage that can always be fixed by disabling Lockdown mode for sites a user trusts.

Convince as many people to use Lockdown mode as possible. I, for one, don't see any reason NOT to enable Lockdown mode on all my devices. Do you need iMessage URLs sent by randoms to load remote content without your consent?

Above all, lets begin to consider signed web content..

[O__________O]

Have you ever study fingerprinting, read the linked post that’s the subject of this thread, understand how prior advanced targeting attacks using fingerprinting worked, etc?

As is, not even researching it, appears very likely that lockdown mode is easy to fingerprint via a browser from information shared in the linked article. Spoofing if functionality is off is not a common thing and would be very hard to do if not impossible if combined with challenge-response like counter-measure from the attacker to confirm the functionality is actually accessible to the end-user.

[mrex]

How realistic is an "advanced fingerprinting attack", though?

I think the more realistic threat model here is presented by ad networks and major websites doing typical types of browser fingerprinting, like canvas, fonts, etc. as well as possibly some of the techniques mentioned in the article here, like webGL, JIT JS, etc.

In that case of a limited number of trusted sites that we focus on ensuring compatibility with, spoofing is easier, because we can pay a lot of attention to ensuring that our "middleman" fixes the errors introduced by spoofed client-to-server communications.

Some technologies like WebGL will simply never work on a spoofed site, of course. But for the very limited number of sites when users lose important functionality, they can just turn off Lockdown mode.

If a Lockdown'd phone habitually patronizes malicious websites, the protection will never be enough anyway. So we shouldn't worry about protecting against being fingerprinted by a very malicious website - Lockdown users must simply avoid these, with or without a fingerprinting vulnerability!

[O__________O]

Sorry, but I don’t understand what technically you describing.

If your suggesting Apple should proxy all internet traffic to devices — that is a horrible idea, incredibly dangerous, and a huge step in the wrong direction. To counter the issues I pointed out, Apple would literally have to be able to decrypt all the traffic and act as if they were the user, which is obviously a insane security issue.

As for avoiding malicious websites, again, I don’t believe you understand what advanced attacks look like. Any site can be hacked and if it is, fingerprinting can be used to only attack a very well defined known list of targets. For example, a very well known CEO of a security startup used a limousine service that was hacked after this was discovered and used to launch at attack against them.

Understand your interested in the topic, that’s great, but try to balance your technical familiarity, familiarity with the topic, and the very real threat security breaches pose to very small subset of the world. These features are not intended to counter AD companies, but attackers that in the worst case situation will ultimately kill the target.

[camyule]

> If your suggesting Apple should proxy all internet traffic to devices — that is a horrible idea, incredibly dangerous, and a huge step in the wrong direction. To counter the issues I pointed out, Apple would literally have to be able to decrypt all the traffic and act as if they were the user, which is obviously a insane security issue.

iCloud Private Relay already exists.

[O__________O]

Official Apple Support page:

https://support.apple.com/en-us/HT212614

3rd party description of it:

https://blog.cloudflare.com/icloud-private-relay/

[mrex]

I wasn't suggesting proxying anything, just that the browser should attempt to correct errors that it introduces into page rendering when it spoofs feedback to the server.

And again, is it a realistic threat model to imagine that a high volume website, trusted enough to be browsed regularly by Lockdown-paranoid users, will be hacked in such a way as to deliver a fingerprinting attack to browsers, and only that?

I appreciate the sense of superiority that you have, but try to follow along.

[O__________O]

If I had a sense of superiority, why would I even be taking the time to attempt to understand what you’re saying, makes no sense.

The device has the features turned off because they are know to be hard to harden against attacks or worse, have known vulnerabilities. To spoof them being on, a proxy that isolates requests to the functionality that’s off on the device would have to be sent to another device, but accurately responds as if it was on, including specific designed counter-measuring from an attacker to confirm the end user had real-time control over the proxied system. Just makes no sense to have such a complex system and in majority of situations would require another device that would be vulnerable to attack and always near the target and secured device.

>> And again, is it a realistic threat model to imagine that a high volume website, trusted enough to be browsed regularly by Lockdown-paranoid users, will be hacked in such a way as to deliver a fingerprinting attack to browsers, and only that?

Simple answer is yes. Also, it doesn’t have to be a high volume website, just one the target trusts enough to visit.

[p410n3]

> make the Lockdown mode browser look to external websites like it isn't in Lockdown mode.

This will be instantly defeated by benchmarking the js performance. But disabling JIT is a VERY important step to harden your browser. This is one of these things where you have to actually choose between privacy and security

[mrex]

>This will be instantly defeated by benchmarking the js performance.

How common is this behavior for non-malicious websites that a Lockdown mode user is likely to use? It seems to me that if you're loading malicious content from a site controlled by foreign intelligence services, you're probably done whether Lockdown is enabled or not. Preventing more casual profiling from common logs likely to be strewn about in CDNs, etc. is still an important level of protection, I'd argue.

[ev1]

Incredibly, extremely common on tons of sites.

Normal web pages that load ads will attempt to detect "fraud" by connecting back over WebRTC, running benchmarks to see how "valuable" of a user you are (how shit or expensive your hardware is), and running benchmarks to see whether you might be a fake browser/"ad fraud" user running large amounts of sessions at the same time and therefore have slower performance. It's bullshit and should be illegal.

I already dislike webgl leaking the model of my gpu, concurrency leaking memory and cores available, and disk space.

Go visit walmart or really any major site - almost more likely than not it will do this - and watch it attempt to enumerate all of your plugins, connect over webrtc, enumerate performance.* msPerformance, mozPerformance, make a webgl video and ask for unmasked renderer, enumerate thousands of fonts, attempt and fail to spawn piles of ActiveXObject, use "window.msDoNotTrack" as a fingerprinting feature point, enumerate hundreds of browser functions and getters (maxTouchPoints, doNotTrack, hardwareConcurrency, ...) and calling toString() on dozens of specific things like window.RTCDataChannel.toString() and seeing whether it fails in a try/catch, if it returns a function, or if it returns "function RTCDataChannel() { [native code] }" as a string, etc.

[ev1]

Can't edit anymore, but I want to point out that one particularly gross thing I've seen is code that checks how well your device characteristics line up with expectations for CPU and RAM.

The numbers are intentionally imprecise for anti-fingerprinting, but I've seen JS code that treats users as suspicious or bad when your logical core count reports 1-2 but memory is 8+, or a lot of cores and very little memory, or if your device is non-mobile but reporting less than 4 or 8 GB of memory. The assumption is that you are a virtual machine if you're a "desktop or laptop" and have a single or dual core in 2022, for example.

[mrex]

Wow. I had no idea. This bullshit is why I browse with javascript off, and enable it only on a per subdomain basis with uMatrix, and disable all the tracking technologies I can. I probably already stick out like a sore thumb to anyone doing browser fingerprinting.

Not only did the kids fail to get off our lawn, look at this giant hunk of poop they left all over it. Eternal September never ends.

[ev1]

Well, good thing they reverse-proxy the javascript code first party directly on the domain (www.*), and attempt to load multiple subdomains on the primary domain one after another (including randomised CDN paths)

[yjftsjthsd-h]

> Above all, lets begin to consider signed web content.

What are you proposing that is not currently provided by https?

[mrex]

TLS is transport encryption, not a content signature.

Ideally, I'd like to see every resource being served along with a signature verifying its authenticity, origin, and suitability for public consumption.

Users would then be empowered to make the decision whether we wanted to interact with a resource that does not offer these protections, and assume the risk, or simply refuse to load any resource that doesn't positively identify where it's coming from, who made it, and who certifies it as worthy of your consumption.

[lelandfe]

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

Though so few sites use it that your browsing experiencing would be awful if you made it mandatory.

[tomxor]

> If Apple is logging if this feature is on and sending it back to Apple,

Apple (and most for profit entities), tend to exclude themselves from their definition of "privacy".

[olliej]

Apple is not Google or Facebook: https://www.apple.com/privacy/

You have to explicitly opt into any logging in apple apps and the OS itself (iOS or macOS). Apple clearly goes to great lengths to ensure that they cannot access your information and data, and very clearly distinguishes stuff that is inaccessible to them from stuff that is encrypted but that they can technically access decryption keys.

A result of this is of course that we get people complaining about apple not restoring their data.

What you're doing is demonstrating how effective Google, Facebook, etc have been in convincing you that real privacy isn't actually possible, solely to protect it from legislative action, because their business models depend on violating it continuously

Recall that Google deciding to trawl through the content of your email (assuming gmail) is why emails from amazon no longer include any details about the order.

Or how "AI" required Google and Facebook, et al having access to everyone's pictures and information.

The fact that G and FB have taken a "fuck our users" approach, doesn't mean that's how every company operates. The fact of the matter is that >75% of google's revenue comes from selling you out, and >90% of facebook's. >80% of apple's revenue comes selling hardware, the remainder from selling services and I assume store royalties (I'd be interested in the break out). You don't have to invade everyone's privacy to make money, it's just G and FB have chosen that approach every time the option is presented to them.

In fact, if a company can decrypt your data then it becomes possible for a hacker of said company to also decrypt that data - a fairly solid reason IMO for either not collecting, or ensuring only the user can access info, unless absolutely necessary for functional or legal reasons.

[tomxor]

What are you trying to prove? that Apple is the exception, that Apple really cares about you?

Apple is not a person, it is a large corporation without any of it's original founders, it has no principles, it's a machine that operates on one metric: it's bottom line. All of it's behaviour is merely a result of profit seeking, public perception and legal limitation. Apple will play the "privacy" marketing tool for as long as it helps their bottom line, but not when it doesn't. Which is demonstrably true by their behaviour in China - they do not care. They also take billions of dollars from Google each year due to their control over the iOS browser... so they are quite happy to support privacy invasion.

[olliej]

No, that apple doesn't shit on privacy - so saying that they all do is BS.

Implementing the features that apple does in a way that's private requires effort and money, it isn't marketing. Safari uses Google as the default search engine, but it also puts a lot of work into fighting Google's tracking, irrespective of what happens in the search field.

We can talk about how US businesses are generally shitty to the end of time, but we don't have to pretend that just because Google and FB shit on everyone's privacy that every corporation does.

iMessage is E2E even in China, apparently. The non-E2E services that apple still has are not-E2E in china or the US or the EU.