'Sign In With Apple’ Protects You in Ways Google and Facebook Don’t - Wired
Page 1 of 1
'Sign In With Apple’ Protects You in Ways Google and Facebook Don’t - Wired
by bdahm Fri Jun 07, 2019 4:08 pm
Note: You’ve probably seen the initial log-in screen to many sites, which gives you a chance to sign-in using your Google or Facebook credentials. There’s some fancy handshaking that goes on using a protocol called OAuth, but I’ve always wondered if the site itself may not be spoofed and this is just a way to grabbing your credentials before passing you on. Not only that, but using this method also allows Google or Facebook to track you from that point. As A result I don’t use it, preferring to use my user ID and password instead, but some sites don’t even give you that option.
At Apple's Worldwide Developers Conference on Monday, the company debuted a slew of products and services, including a new Mac Pro that's part raw computing power, part cheese grater. But one new feature, mentioned in passing, could have an outsized impact on user security and privacy for years to come. Apple now has its own single-sign-on scheme—and it's a major reimagining of how such a mechanism can work.
https://www.wired.com/story/sign-in-with-apple-sso-google-facebook/
-Bill
At Apple's Worldwide Developers Conference on Monday, the company debuted a slew of products and services, including a new Mac Pro that's part raw computing power, part cheese grater. But one new feature, mentioned in passing, could have an outsized impact on user security and privacy for years to come. Apple now has its own single-sign-on scheme—and it's a major reimagining of how such a mechanism can work.
https://www.wired.com/story/sign-in-with-apple-sso-google-facebook/
-Bill
bdahm- Admin
- Posts : 682
Join date : 2009-05-15
Age : 81 -
Re: 'Sign In With Apple’ Protects You in Ways Google and Facebook Don’t - Wired
by bdahm Thu Jun 13, 2019 11:45 am
Here is what security Guru Steve Gibson had to say about ‘Sign in With Apple’ on a recent episode of his podcast, Security Now.
During yesterday's Apple WWDC 2019 kickoff, Apple announced their launch of a privacy-respecting "Sign-In with Apple" OAuth redirection service similar to the very familiar "Sign-In with Google" and "Sign-In with Facebook”.
They also beat all other OAuth providers to the punch by adding a feature to their forthcoming OAuth redirection service which I'll call: "managed random eMail address provisioning". This is a brilliant idea, and it's a reason for using Apple's OAuth service over others, even if one isn't concerned about OAuth's tracking.
So first let's back up a bit…
As we know, OAuth is a convenience, but it also comes at the clear cost of explicit and high-reliability tracking. When our browsers are redirected though that chosen 3rd-party authentication provider, that 3rd-party knows who we are -- since we have an account with them -- and they know to which site we are signing in, since they are negotiating our identity with that site, on our behalf, behind the scenes. And all of this uses 1st-party session cookies.
So we know that there's just no way that Facebook and Google, both having strong financial interests in compiling activity profiles about everyone, are not actively leveraging that very specific and clear who-you-are and where-you're-going information. As we know, traditional browser tracking is inherently soft and fuzzy and requires some degree of behavioral inference. Not so with explicit "sign-in with..." OAuth. So on the tracking privacy front this was clearly another poke in the eye by Apple to all of the other OAuth trackers.
The problem is that, for the experience to be seamless, our browsers need to be maintaining an active session-state with the OAuth provider, so that our browsers can bounce though them transparently. But I have no such relationship with Facebook. And although I'm currently an avid Apple device consumer, I don't currently have such a relationship with Apple, because Apple is not, otherwise, a provider of online services for me. But I do have a relationship with Google. Every one of my various browsers maintain persistent sessions with Google... because Google already offers many online services which I use. And while I dislike the idea of being tracked, it's not really something I worry about. I strongly HATE the idea from a technology standpoint of it NOT being under my control, if I did care. That seems really wrong. And I certainly understand that many people DO care.
Remember, though, that as part of the OAuth transaction, the site being signed into can request data from the site you're signing in =with= ... such as your username and your eMail address. Since this happens behind the scenes, users may not even be aware of it. Or if they are show that this will be happening, they're typically not given the option to not have that information
Security Now! #717 7
provided. So, what may mean a great deal to many people who deeply trust Apple, (and in a moment we'll see why "deep trust" is required), is that rather than providing the service that I'm being signed into my =real= Apple eMail account, (which would *really* annoy me because that's a unique account I use only for Apple), Apple will be offering the option to proactively mask their user's actual eMail by providing a randomly chosen eMail "relay address"…
I called this "managed random eMail address provisioning" since, on stage yesterday, Craig Federighi indicated that Apple users would have some means for curating and removing the relay addresses from any sites from which they no longer wish to receive eMail. This DOES place Apple in the enviable position of receiving -- and viewing if they wished -- and then forwarding ALL of the eMail being received.
That's probably not a big deal since Google already receives and scans all of the eMail pouring through their servers. And Apple certainly promotes their enforcement of our privacy rights much more strongly than either Facebook or Google. But it is something to keep in mind. For me, my Google eMail is already my designated "junk" eMail bucket since its anti-spam filtering is so good. And today my Apple eMail account has remained utterly pure since I have never used it for anything else. So I think I'd rather be using "Sign in with Google" and have that eMail address disseminated than to start polluting the eMail account I share with Apple.
Security Now! #717 8
But, interestingly, one reason to think that it WILL become prevalent, at least from within apps over which Apple has control (like those for iOS) is that offering it will NOT be optional. Down in the fine print at the end of Apple's new App Store Review Guidelines Apple states: “Sign In with Apple will be available for beta testing this summer. It will be required as an option for users in apps that support third-party sign-in when it is commercially available later this year.”
So any apps which offer OAuth third-party logins like Facebook, Google or whatever, MUST also offer Apple's own sign in service as well. User's won't need to choose Apple, but the option will need to be presented.
-Bill
During yesterday's Apple WWDC 2019 kickoff, Apple announced their launch of a privacy-respecting "Sign-In with Apple" OAuth redirection service similar to the very familiar "Sign-In with Google" and "Sign-In with Facebook”.
They also beat all other OAuth providers to the punch by adding a feature to their forthcoming OAuth redirection service which I'll call: "managed random eMail address provisioning". This is a brilliant idea, and it's a reason for using Apple's OAuth service over others, even if one isn't concerned about OAuth's tracking.
So first let's back up a bit…
As we know, OAuth is a convenience, but it also comes at the clear cost of explicit and high-reliability tracking. When our browsers are redirected though that chosen 3rd-party authentication provider, that 3rd-party knows who we are -- since we have an account with them -- and they know to which site we are signing in, since they are negotiating our identity with that site, on our behalf, behind the scenes. And all of this uses 1st-party session cookies.
So we know that there's just no way that Facebook and Google, both having strong financial interests in compiling activity profiles about everyone, are not actively leveraging that very specific and clear who-you-are and where-you're-going information. As we know, traditional browser tracking is inherently soft and fuzzy and requires some degree of behavioral inference. Not so with explicit "sign-in with..." OAuth. So on the tracking privacy front this was clearly another poke in the eye by Apple to all of the other OAuth trackers.
The problem is that, for the experience to be seamless, our browsers need to be maintaining an active session-state with the OAuth provider, so that our browsers can bounce though them transparently. But I have no such relationship with Facebook. And although I'm currently an avid Apple device consumer, I don't currently have such a relationship with Apple, because Apple is not, otherwise, a provider of online services for me. But I do have a relationship with Google. Every one of my various browsers maintain persistent sessions with Google... because Google already offers many online services which I use. And while I dislike the idea of being tracked, it's not really something I worry about. I strongly HATE the idea from a technology standpoint of it NOT being under my control, if I did care. That seems really wrong. And I certainly understand that many people DO care.
Remember, though, that as part of the OAuth transaction, the site being signed into can request data from the site you're signing in =with= ... such as your username and your eMail address. Since this happens behind the scenes, users may not even be aware of it. Or if they are show that this will be happening, they're typically not given the option to not have that information
Security Now! #717 7
provided. So, what may mean a great deal to many people who deeply trust Apple, (and in a moment we'll see why "deep trust" is required), is that rather than providing the service that I'm being signed into my =real= Apple eMail account, (which would *really* annoy me because that's a unique account I use only for Apple), Apple will be offering the option to proactively mask their user's actual eMail by providing a randomly chosen eMail "relay address"…
I called this "managed random eMail address provisioning" since, on stage yesterday, Craig Federighi indicated that Apple users would have some means for curating and removing the relay addresses from any sites from which they no longer wish to receive eMail. This DOES place Apple in the enviable position of receiving -- and viewing if they wished -- and then forwarding ALL of the eMail being received.
That's probably not a big deal since Google already receives and scans all of the eMail pouring through their servers. And Apple certainly promotes their enforcement of our privacy rights much more strongly than either Facebook or Google. But it is something to keep in mind. For me, my Google eMail is already my designated "junk" eMail bucket since its anti-spam filtering is so good. And today my Apple eMail account has remained utterly pure since I have never used it for anything else. So I think I'd rather be using "Sign in with Google" and have that eMail address disseminated than to start polluting the eMail account I share with Apple.
Security Now! #717 8
But, interestingly, one reason to think that it WILL become prevalent, at least from within apps over which Apple has control (like those for iOS) is that offering it will NOT be optional. Down in the fine print at the end of Apple's new App Store Review Guidelines Apple states: “Sign In with Apple will be available for beta testing this summer. It will be required as an option for users in apps that support third-party sign-in when it is commercially available later this year.”
So any apps which offer OAuth third-party logins like Facebook, Google or whatever, MUST also offer Apple's own sign in service as well. User's won't need to choose Apple, but the option will need to be presented.
-Bill
bdahm- Admin
- Posts : 682
Join date : 2009-05-15
Age : 81 -
Similar topics» The Real Reason Apple and Google Want You to Use Your Phone Less
» The downside of rampant Feature Copying by Apple/Google/Microsoft
» 8 Ways to Speed Up iOS 11 on Older iPhones
» Apple News+: Is It Worth the monthly fee? - Apple Insider
» Inside the Cyberattack that Shocked the US Government - Wired
» The downside of rampant Feature Copying by Apple/Google/Microsoft
» 8 Ways to Speed Up iOS 11 on Older iPhones
» Apple News+: Is It Worth the monthly fee? - Apple Insider
» Inside the Cyberattack that Shocked the US Government - Wired
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|