What you need to know
- Safari Fraudulent Website Warning flags malicious websites.
- It uses Google's malicious website list internationally and Tencent's list for devices set to China.
- Actual URLs are not shared, though IPs have to be transmitted, and the feature can be turned off.
Apple and China have a complicated relationship and situation that's exploded in the news over the last week. (Much more on that in a future column.) It's led to some incredibly informative reporting, but also some ride-along FUD (fear, uncertainty, and doubt). A recent story about how Apple handles Safari Fraudulent Website Warning's, got caught up in the latter. Which is unfortunate, because it's something everyone should be informed about.
First, here's Apple's statement:
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning," Apple told iMore. "A security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.
Second, here's how the system works:
Google and Tencent send Safari hashed prefixes of URLs (websites) known to be malicious. If your device is region-set to most places, you get Google's. If it's region set to mainland China, you get Tencent's. Hash prefixes, while imperfect, were designed to be more general than specific URLs.
Safari checks any web page you try to go to again the list of hash prefixes. If they match, the page may be malicious.
At that point, Safari asks Google or Tencent for the full list of URLs that match the hashed prefix.
Safari then checks the site against the list on device to determine if there's an exact match. So, the specific URL is never sent to Google or Tencent.
Because Safari is communicating with Google and Tencent, they do see the IP address of the device, and because they have the hash prefix, they do know the general pool to which the site belongs.
If anyone, at any time, has any concerns about Google or Tencent having that information, they can go to Settings > Safari on iOS or System Preferences > Security on macOS, and toggle fraudulent website warnings off. The downside, of course, is that you might hit a malicious website without warning. So, you need to balance the threats associated with both conditions.
In a perfect world, a more privacy-centric company like Duck Duck Go or Apple would be able to maintain and use their own lists, both internationally and inside China. In the meantime, some system that anonymizes and relays requests, like Siri does or like Sign in with Apple, perhaps, could improve privacy within the current implementation.
So, for now, browse smart and browse safe.
Gold iPhone 12 Pro buyers get a special fingerprint-resistant coating
It turns out that there might be one iPhone 12 Pro to rule them all, and it's coated in gold. Sort of.
The Fluora LED Houseplant adds magic to any home, no green thumb needed
Want to add a touch of magic to your home? Then you should check out the Fluora LED Magic Houseplant, live now on Kickstarter until November 20, 2020.
This AirTags video shows how awesome colorful little pucks could be
AirTags are surely going to be announced eventually, but will they come in different colors? Let's hope so!
Keep an eye on the front door with the best HomeKit video doorbells
HomeKit video doorbells are a great way to keep an eye on those precious packages at your front door. While there are just a few to choose from, these are the best HomeKit options available.