News this week from Twitter (TWTR) abouta helpful security option left out a five-word warning: “Safari users need not apply.”
That’s because—not for the first time—that Apple (AAPL) browser has yet to support a security advance. Even as Safari has excelled at protecting privacy on the web, it’s trailed competitors Google (GOOG,GOOGL), Microsoft (MSFT) and Mozilla in defending against other online menaces.
That’s left people with an uncomfortable choice: First-rate security or first-rate privacy in a browser, but not both.
On the one hand, Safari keeps advertisers from following you around but makes it harder to secure your accounts. Meanwhile, Google’s Chrome provides strongest the armor against online attackers but does too much to indulge the creepier instincts of online marketers. You shouldn’t be happy about that.
A key to account security
Apple’s security lag is most obvious in the feature Twitter added: universal two-factor authentication, in which you verify a login by plugging a cryptographically-signed USB key into your computer.
“U2F” protects against somebody stealing your password and neatly solves major problems with phone-basedtwo-step verification, the most common sort.
Confirming a login with a one-time code sent via text message to your phone won’t work without a cellular signal, such as on most planes. It can also be defeated ifan attacker convinces a customer-service rep at your wireless carrier to transfer your number to another device.
Having a smartphone app likeGoogle’s Authenticator calculate confirmation codes eliminates the cellular-connectivity and account-takeover risks. But reconfiguring this app every time you switch devices is—as Google security product manager Stephan Somogyi told me last July—“a complete, total and unmitigated pain.”
Chrome has supported U2Fsince 2014. This spring,Microsoft andMozilla said they would support a successor standard,WebAuthn, in their Edge and Firefox browsers. In May Firefox did just that—although Google accounts still rely on the older U2F standard that won’t work in Firefox until youenable a hidden option.
Apple, however, has remained opaque on this point. It does haveemployees participating in the WebAuthn development process, but the possible-features list of Safari’s WebKit open-source foundation only shows this option as“Under Consideration.” Apple pointed to those two details but did not clarify its intentions. Not for the first time,its instinctive secrecy does it no favors.
The history here suggests no rush to adopt WebAuthn. Joseph Lorenzo Hall, chief technologist with theCenter for Democracy & Technology, observed in email that “Apple is frequently late to do standards”—though he expects the company to welcome this one eventually.
Enlightening users about encryption
Safari has also trailed its competitors inweb encryption, which stopsyour internet provider and any third parties online from recording passwords you type or tracking your browsing history beyond the domain names of sites you visit.
For instance, Chrome began warning of unencrypted fields for passwords and credit-card numbersat the start of 2017. Apple didn’t add its own alert for such sensitive data input—a“Not Secure” label in prominent red type—untilthe end of March.
And while Chrome already adds an “i” logo icon to the address of unencrypted sites, which when clicked warns that they’re not secure, Safari offers no such heads-up that a site won’t stop third-party eavesdropping. July’s update to Chrome should make this advisory more obvious witha “Not secure” label atop every unencrypted page.
These warnings matter because most people don’t recognize traditional browser hints about site security. Last March, the Pew Research Centerreleased a survey finding thatonly a third of Americans knew that an “https” prefix in a site address meant it used encryption.
A similar pattern prevailed after security researchers confirmed that a widely used encryption algorithm calledSHA-1could be readily defeated. Chrome was the first major browser to label pages using SHA-1 encryption “not secure,” starting in 2015; by early 2016, itbegan blocking those pages.
Firefox followed suit inFebruary of 2017, Edge inMay—but Apple did not take the same step untilOctober of that year. Fortunately, most SHA-1 holdouts had upgraded their encryption by then, in part because of Google’s public shaming.
But what if you also value privacy?
Meanwhile, Google has also been quicker and more open in its responses to such threats asthe Spectre and Meltdown Intel (INTC) processor vulnerabilities, which could let an attacker peek at data on your computer, and“forced-redirect” ads that hijack browsing sessions. These and other reasons should explain why so many security professionals run Chrome on their Macs.
But while going with the flow (Chrome has a62.9% share of the desktop browser market, according to NetApplications surveying) and using Chrome can strengthen your security online, it raises other problems. Beyond the issues involved ingiving Google even more of your time, Chrome falls short of Safari in protecting your privacy from ad networks and other trackers.
Can Apple someday match Google on security? CDT’s Hall is cautiously optimistic, and the founder of a security-certificate firm offered a similar perspective. “While Safari is lagging behind Chrome, they are moving in a positive direction that makes me satisfied,” e-mailed Andrew Ayer, founder ofSSLMate.
Could Google, in turn, do better on privacy? When asked that question on Twitter in June, Google engineering director Parisa Tabriz replied“Challenge accepted!”
That would be a terrific competition to watch—far better than seeing these two firms squabbleover who copied whom first.
EmailRob at rob@robpegoraro.com; follow him on Twitter at@robpegoraro.