What you need to know
- Safari Fraudulent Website Warning flags malicious websites.
- It uses Google's malicious website list internationally and Tencent's list for devices set to China.
- Actual URLs are not shared, though IPs have to be transmitted, and the feature can be turned off.
Apple and China have a complicated relationship and situation that's exploded in the news over the last week. (Much more on that in a future column.) It's led to some incredibly informative reporting, but also some ride-along FUD (fear, uncertainty, and doubt). A recent story about how Apple handles Safari Fraudulent Website Warning's, got caught up in the latter. Which is unfortunate, because it's something everyone should be informed about.
First, here's Apple's statement:
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning," Apple told iMore. "A security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.
Second, here's how the system works:
Google and Tencent send Safari hashed prefixes of URLs (websites) known to be malicious. If your device is region-set to most places, you get Google's. If it's region set to mainland China, you get Tencent's. Hash prefixes, while imperfect, were designed to be more general than specific URLs.
Safari checks any web page you try to go to again the list of hash prefixes. If they match, the page may be malicious.
At that point, Safari asks Google or Tencent for the full list of URLs that match the hashed prefix.
Safari then checks the site against the list on device to determine if there's an exact match. So, the specific URL is never sent to Google or Tencent.
Because Safari is communicating with Google and Tencent, they do see the IP address of the device, and because they have the hash prefix, they do know the general pool to which the site belongs.
If anyone, at any time, has any concerns about Google or Tencent having that information, they can go to Settings > Safari on iOS or System Preferences > Security on macOS, and toggle fraudulent website warnings off. The downside, of course, is that you might hit a malicious website without warning. So, you need to balance the threats associated with both conditions.
In a perfect world, a more privacy-centric company like Duck Duck Go or Apple would be able to maintain and use their own lists, both internationally and inside China. In the meantime, some system that anonymizes and relays requests, like Siri does or like Sign in with Apple, perhaps, could improve privacy within the current implementation.
So, for now, browse smart and browse safe.
UAG's Civilian Series cases offer lightweight yet rugged protection
Urban Armor Gear, or UAG, has released a sharp-looking new case. It's feather-light but is designed to absorb and disperse shocks in case you drop your precious iPhone.
Twitter announces new controls for conversations, available globally now
Twitter has announced that it is changing the way conversations work on Twitter, bringing more control to users so as to make Twitter safer and more comfortable.
Apple and Intel file antitrust lawsuit against patent troll
A report suggests that Apple and Intel have filed a lawsuit against Fortress Investment Group, over claims it has acquired patents for the sole purpose of litigating against large tech companies and that it has violated U.S. antitrust laws.
Webcam hacking is real, but you can protect yourself with a privacy cover
Here are the best webcam privacy covers available for your MacBook that’ll give you some serious peace of mind.
