News this week from Twitter (TWTR) about a helpful security option left out a five-word warning: “Safari users need not apply.”
That’s because—not for the first time—that Apple (AAPL) browser has yet to support a security advance. Even as Safari has excelled at protecting privacy on the web, it’s trailed competitors Google (GOOG, GOOGL), Microsoft (MSFT) and Mozilla in defending against other online menaces.
That’s left people with an uncomfortable choice: First-rate security or first-rate privacy in a browser, but not both.
On the one hand, Safari keeps advertisers from following you around but makes it harder to secure your accounts. Meanwhile, Google’s Chrome provides strongest the armor against online attackers but does too much to indulge the creepier instincts of online marketers. You shouldn’t be happy about that.
A key to account security
Apple’s security lag is most obvious in the feature Twitter added: universal two-factor authentication, in which you verify a login by plugging a cryptographically-signed USB key into your computer.
“U2F” protects against somebody stealing your password and neatly solves major problems with phone-based two-step verification, the most common sort.
Confirming a login with a one-time code sent via text message to your phone won’t work without a cellular signal, such as on most planes. It can also be defeated if an attackerconvinces a customer-service rep at your wireless carrier to transfer your number to another device.
Having a smartphone app like Google’s Authenticator calculate confirmation codes eliminates the cellular-connectivity and account-takeover risks. But reconfiguring this app every time you switch devices is—as Google security product manager Stephan Somogyi told me last July—“a complete, total and unmitigated pain.”
Chrome has supported U2F since 2014. This spring, Microsoft and Mozilla said they would support a successor standard, WebAuthn, in their Edge and Firefox browsers. In May Firefox did just that—although Google accounts still rely on the older U2F standard that won’t work in Firefox until you enable a hidden option.
Apple, however, has remained opaque on this point. It does have employees participating in the WebAuthn development process, but the possible-features list of Safari’s WebKit open-source foundation only shows this option as “Under Consideration.” Apple pointed to those two details but did not clarify its intentions. Not for the first time, its instinctive secrecy does it no favors.
The history here suggests no rush to adopt WebAuthn. Joseph Lorenzo Hall, chief technologist with the Center for Democracy & Technology, observed in email that “Apple is frequently late to do standards”—though he expects the company to welcome this one eventually.
Enlightening users about encryption
Safari has also trailed its competitors in web encryption, which stops your internet provider and any third parties online from recording passwords you type or tracking your browsing history beyond the domain names of sites you visit.
For instance, Chrome began warning of unencrypted fields for passwords and credit-card numbers at the start of 2017. Apple didn’t add its own alert for such sensitive data input—a “Not Secure” label in prominent red type—until the end of March.
And while Chrome already adds an “i” logo icon to the address of unencrypted sites, which when clicked warns that they’re not secure, Safari offers no such heads-up that a site won’t stop third-party eavesdropping. July’s update to Chrome should make this advisory more obvious with a “Not secure” label atop every unencrypted page.
These warnings matter because most people don’t recognize traditional browser hints about site security. Last March, the Pew Research Center released a survey finding thatonly a third of Americans knew that an “https” prefix in a site address meant it used encryption.
A similar pattern prevailed after security researchers confirmed that a widely used encryption algorithm called SHA-1 could be readily defeated. Chrome was the first major browser to label pages using SHA-1 encryption “not secure,” starting in 2015; by early 2016, it began blocking those pages.
Firefox followed suit in February of 2017, Edge in May—but Apple did not take the same step until October of that year. Fortunately, most SHA-1 holdouts had upgraded their encryption by then, in part because of Google’s public shaming.
