How Apple's Safari Browser Will Try to Thwart Data Tracking
15.9.2018 securityweek Apple
New privacy features in Apple's Safari browser seek to make it tougher for companies such as Facebook to track you.
Companies have long used cookies to remember your past visits. This can be helpful for saving sign-in details and preferences. But now they're also being used to profile you in order to fine-tune advertising to your tastes and interests.
Cookie use goes beyond visiting a particular website. As other sites embed Facebook "like" and "share" buttons, for instance, Facebook's servers are being pinged and can access your stored cookies. That means Facebook now knows you frequent celebrity gossip sites or read news with a certain political bent. Ads can be tailored to that.
Here's how Safari is getting tougher in dealing with that.
NO MORE GRACE PERIOD
Safari used to wait 24 hours from your last visit to a service before blocking that service's cookies on third-party sites. That effectively exempted Facebook, Google and other services that people visited daily. Now, Safari will either block the cookie automatically or prompt you for permission.
Apple says Safari will still be able to remember sign-in details and other preferences, though some websites have had to adjust their coding.
THWARTING FINGERPRINTING
Browsers typically reveal seemingly innocuous information about your device, such as the operating system used and fonts installed. Websites use this to make minor adjustments in formatting so that pages display properly.
Browsers have historically made a lot of information available, largely because it seemed harmless. Now it's clear that all this data, taken together, can be used to uniquely identify you. Safari will now hide many of those specifics so that you will look no different from the rest.
It's like a system that digitally blurs someone's image, said Lance Cottrell, creator of the privacy service Anonymizer. "You can tell it's a person and not a dog, but you can't recognize a person's face," he said.
For instance, Safari will reveal only the fonts that ship with the machine, not any custom fonts installed.
MASKING WEB ADDRESSES
When visiting a website, the browser usually sends the web address for the page you were just on. This address can be quite detailed and reveal the specific product you were exploring at an e-commerce site, for instance.
Now, Safari will just pass on the main domain name for that site. So it would be just "Amazon.com" rather than the specific product page at Amazon.
CLOSING A LOOPHOLE
Some ad companies have sought to bypass restrictions on third-party cookies — that is, identifiers left by advertisers — by using a trick that routed them through a series of websites. That could make a third-party cookie look like it belonged to a site you're visiting. Safari will now try to catch that.
The changes come Tuesday as part of the iOS 12 update for iPhones and iPads and a week later in the Mojave update for Mac computers.
Many of the safeguards will be limited to cookies that Apple deems to be trackers. That's being done to reduce the likelihood of inadvertently blocking legitimate third-party cookies.