Apple’s Safari has dropped the ball on security

In This Article:

Apple Chief Executive Officer Tim Cook speaks at the Apple Worldwide Developer conference in San Jose, California, U.S., June 4, 2018. REUTERS/Elijah Nouvelage
Apple Chief Executive Officer Tim Cook speaks at the Apple Worldwide Developer conference in San Jose, California, U.S., June 4, 2018. REUTERS/Elijah Nouvelage

News this week from Twitter (TWTR) about a helpful security option left out a five-word warning: “Safari users need not apply.”

That’s because—not for the first time—that Apple (AAPL) browser has yet to support a security advance. Even as Safari has excelled at protecting privacy on the web, it’s trailed competitors Google (GOOG, GOOGL), Microsoft (MSFT) and Mozilla in defending against other online menaces.

That’s left people with an uncomfortable choice: First-rate security or first-rate privacy in a browser, but not both.

On the one hand, Safari keeps advertisers from following you around but makes it harder to secure your accounts. Meanwhile, Google’s Chrome provides strongest the armor against online attackers but does too much to indulge the creepier instincts of online marketers. You shouldn’t be happy about that.

A key to account security

Apple’s security lag is most obvious in the feature Twitter added: universal two-factor authentication, in which you verify a login by plugging a cryptographically-signed USB key into your computer.

“U2F” protects against somebody stealing your password and neatly solves major problems with phone-based two-step verification, the most common sort.

Confirming a login with a one-time code sent via text message to your phone won’t work without a cellular signal, such as on most planes. It can also be defeated if an attacker convinces a customer-service rep at your wireless carrier to transfer your number to another device.

Having a smartphone app like Google’s Authenticator calculate confirmation codes eliminates the cellular-connectivity and account-takeover risks. But reconfiguring this app every time you switch devices is—as Google security product manager Stephan Somogyi told me last July—“a complete, total and unmitigated pain.”

Chrome has supported U2F since 2014. This spring, Microsoft and Mozilla said they would support a successor standard, WebAuthn, in their Edge and Firefox browsers. In May Firefox did just that—although Google accounts still rely on the older U2F standard that won’t work in Firefox until you enable a hidden option.

Apple, however, has remained opaque on this point. It does have employees participating in the WebAuthn development process, but the possible-features list of Safari’s WebKit open-source foundation only shows this option as “Under Consideration.” Apple pointed to those two details but did not clarify its intentions. Not for the first time, its instinctive secrecy does it no favors.

The history here suggests no rush to adopt WebAuthn. Joseph Lorenzo Hall, chief technologist with the Center for Democracy & Technology, observed in email that “Apple is frequently late to do standards”—though he expects the company to welcome this one eventually.