
Apple adds a tracker blocker to desktop Safari - Allvitende
https://techcrunch.com/2017/06/05/apple-adds-a-tracker-blocker-to-desktop-safari/
======
code4tee
Sounds like this is more in line with what they did with ApplePay vs
traditional credit cards--I.e. They give you randomized IDs each time so the
other party can't track you from transaction to transaction. Adds can still
appear but they won't know who you are, so it's a direct shot at Google and
others looking to give people "targeted" adds based on user behavior. I agree
it's an issue that needs addressed. Just because I searched for X two days ago
doesn't mean i want to see adverts on X for the next two months.

~~~
Darthy
That's actually not how ApplePay works. You get a new randomized credit card
number, but only once. Shops can still track you by checking for the number.
You can check that yourself by looking at receipts when you pay with ApplePay
- each receipt features the same numbers (most receipt only show the last 4
digits, but they are always the same when you pay with ApplePay).

~~~
ljoshua
Is it a randomized number per card per merchant, or just a randomized number
per card?

~~~
Darthy
It's a randomized number per original card. Every merchant sees the same
number. According to some other poster, if you have several devices (like an
iPhone and an Apple Watch), then you get a new number for each device.

So, not only can a single merchant track you, but all merchants can cross-
reference the data they have about you and track your whereabouts, purchasing
habits etc. They just don't know who you are anymore, because that information
is not transmitted. Unless one merchant asks for your email or home address,
and this merchant then adds that email to a shared database, at which point
we're back to step 1 and the merchants know everything about you.

~~~
stirlo
Or you just use any kind of loyalty card/ account when making a payment using
apple pay even once. :( I didn't realize it only randomized once and am now
disappointed in the way apple marketed it.

------
tannhaeuser
Thumbs up for Apple distinguishing themselves by their pro-privacy stance, as
opposed to MS, who don't have anything to win by Win10's excessive "telemetry"
IMHO.

~~~
mtgx
It's also a real shame they're doing this before Mozilla. Mozilla already has
Tracking Protection but only for Private Windows.

It's like Mozilla can't even embrace its privacy stance fully.

~~~
whoami_nr
You can enable Tracking Protection in Firefox for normal browsing windows in
the settings->privacy tab

~~~
infinityplus1
Does not appear for me. It's only for the private windows.

~~~
whoami_nr
Oh. I am sorry. True, it doesn't appear for normal windows. Anyway, as some
other user suggested, visit "about:config" and change the privacy settings
there.

~~~
Sammi
What key?

------
ghughes
Here's the official blog post explaining the feature in depth:
[https://webkit.org/blog/7675/intelligent-tracking-
prevention...](https://webkit.org/blog/7675/intelligent-tracking-prevention/)

~~~
aaronbee
This suggests that Google/Facebook/Twitter will still be able to track you,
assuming you use their websites regularly, but advertising companies that
don't have pages frequented by the average internet user won't.

------
tptacek
This is great, but unfortunately, until Apple ups its browser security game,
Safari is a non-starter. On macOS, switching from any other browser to Chrome
is in the top 3 things you can do to materially improve your security in ways
that actually matter in the real world.

~~~
justinschuh
Just to add some context, on macOS you can look at the seat-belt policy as a
rough analog of for basic sandboxing guarantees, where the fewer exceptions
you have the stronger your sandbox is. From that perspective, Chrome's policy
has around 1/10th the exceptions of Safari.

* Safari SB policy: [https://trac.webkit.org/browser/webkit/trunk/Source/WebKit2/...](https://trac.webkit.org/browser/webkit/trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in)

* Chrome SB policy: [https://cs.chromium.org/chromium/src/content/renderer/render...](https://cs.chromium.org/chromium/src/content/renderer/renderer.sb?q=file:%5C.sb$+package:%5Echromium$&dr)

And of course, that's before we get into more complex forms of isolation that
Chrome implements, such as the sandboxed GPU process, or ongoing work into
things like network sandboxing, the macOS bootstrap sandbox, and site
isolation (origin-bound renderer sandboxing).

~~~
om2
The question is a bit complex than a simple reading of these files. Mac OS
sandboxing allows dynamic extension of the sandbox, which would not be
reflected in the profile (I'd bet Safari does more of this than Blink though).
Also, as you mentioned, it's relevant to look at what's factored into separate
processes, and how those processes are sandboxed. Safari's Network process has
been networked since 2013, so I don't think you can count Chrome's ongoing
work to do so as a Chrome advantage.

If you add these things up, the difference in practical effectiveness is not
as wide as one might think.

~~~
justinschuh
I don't keep up too much on Safari these days, so congrats on moving the
network stack out of the content process. But looking at the current
WebProcess seat-belt policy and what gets initialized, it looks like there's
still far too much attack surface relative to Chrome. Things like audio/video
capture and other permissioned Web APIs appear to be permitted directly inside
the sandbox. And the GPU attack surface alone is a giant vector for escape--
plus all the other potential escape vectors posed by that very long list of
mach services.

So yeah, the seat belt policies alone aren't determinative, which is why I
called them "a rough analog". And it's hard to say what gets pulled in through
warmup (which is why we'll be eliminating it with our v2 bootstrap sandbox).
Accepting that, it's pretty clear that there's just dramatically less attack
surface exposed from inside Chrome's sandbox versus Safari's.

~~~
om2
The network stack has been out of the content process for a super long time,
it is not a new thing. (Ironically, Chrome engineers argued strenuously
against doing it when we first started).

You're right that separate GPU process is a huge advantage for Chrome. Kudos
on that, and we'll likely have to move in the same direction sooner or later.

Audio/video capture is temporary and not in currently shipping Safari. It was
just the simplest path to getting WebRTC up and running. We plan to fix it
before we ship. I agree with you that it's risky attack surface.

Also agree with you that we expose more mach services and for lots of them it
would be better not to expose them. A tradeoff here is that Chrome (as I
understand it) provides most of those facilities via brokers that are often
not sandboxed themselves. It used to be many of those things were just done by
the application process.

I suspect over time we'll see our respective sandbox models become more
similar over time, especially on macOS.

~~~
justinschuh
> The network stack has been out of the content process for a super long time,
> it is not a new thing.

FWIW, Chrome's network stack doesn't live in the content process either. It's
not currently sandboxed, but it's in a process that has no scripting runtime
or other dynamic content, so it's still pretty high bar for exploit. The exact
reasons for the current situation have to do with some legacy Windows support
that has since been removed, which is why the sandboxing work is now moving
forward. So, I definitely appreciate your situation with adding some sandbox
exceptions for WebRTC.

> I suspect over time we'll see our respective sandbox models become more
> similar over time, especially on macOS.

Fair. But I will say that Chrome being cross-platform tends to naturally push
us in the direction of eliminating sandbox attack surface. Our supported
platforms just differ so much that it's easiest to lock down the OS as much as
possible and implement narrower, origin-bound capability brokers inside
Chrome. If I were more tightly bound to a given OS implementation, I expect
I'd have a lot more fights about sandboxing, because it's easier for devs to
just standardize on what the OS gives you.

~~~
om2
It does seem like being cross-platform makes it more natural for Chrome to
lock down the content process very tightly, and provides a strong incentive to
do so. On the other hand, it may make it more difficult or less natural to
lock down some of the other processes.

On our end, it's natural to sandbox every new process we introduce, but also
easy to fudge what is allowed in sandbox profiles. Sometimes we have a choice
of accessing a service through a separate process, or working to make sure
that service itself is more secure (sandboxed itself, offers thinner and
properly validated IPC interface, etc). In many cases, the real right choice
may be to do both. As well as fuzzing the heck out of every IPC boundary.

------
vim_wannabe
>“It’s not about blocking ads, the web behaves as it always did, but your
privacy is protected,” he added.

Does this mean browser fingerprint is somehow scrambled before it is sent to
the tracker instead of blocking?

~~~
ceejayoz
> Does this mean browser fingerprint is somehow scrambled before it is sent to
> the tracker instead of blocking?

It might be homogenized instead of scrambled. Every iOS device could be given
(barring IP etc.) the same fingerprint.

~~~
pmiller2
I don't think that's even theoretically possible. How do you block JS font
enumeration without crippling the browser font API?

~~~
tinus_hn
Offer the same basic set to every site. Why does a website need to know the
fonts you've installed?

~~~
MBCook
No user installed fonts on iOS. So that's already effectively the case there.

~~~
astrange
You can install fonts on iOS with MDM or configuration profiles.

------
frio80
Looks like this will stop (after 24 hours) some companies from doing an
initial redirection to set cookies for tracking purposes... Example:

1\. Search Google for hockey sticks

2\. Click on search result hockeystick.com

3\. hockeystick.com issues a 302 to adcompany.com which then issues a 302 back
to hockeystick.com

Why the 302? Because in Safari, you could only access cookies in a 3rd party
context if you've seen a domain in a 1st party context. Setting a cookie in
adcompany.com in a 1st party context gives you the ability to read that cookie
in a 3rd party context which could be used for tracking purposes.

~~~
flukus
Won't the browser show an error about a circular redirect? Or does that take a
few bounces?

~~~
frio80
The URLS would be different. Companies also rewrite internal links as you're
navigating a site to accomplish the same thing. Example:
[https://baycloud.com/thirdparty-redirect](https://baycloud.com/thirdparty-
redirect)

------
theprop
I read [https://webkit.org/blog/7675/intelligent-tracking-
prevention...](https://webkit.org/blog/7675/intelligent-tracking-prevention/)
which details this.

They're just being a little sophisticated in how they block third-party
cookies. This will hardly stop other tracking scripts, tracking images,
widely-used fingerprinting techniques and related js calls. So nothing
remotely close to even Brave let alone a TOR or the Epic Privacy Browser.

~~~
om2
We're trying to do the most extreme thing we can do short of blocking ads. To
be more effective, you end up blocking ads, whether intentionally or as a side
effect.

This blocks more than just cookies by the way, it affects all client-side
state. And client-side state is still the primary and most reliable tool used
for tracking, even though other methods exist, such as browser fingerprinting,
behavioral fingerprinting, and IP-based tracking.

------
tyingq
The big question to me is whether it's enabled by default, and whether it
blocks requests to Google Analytics. If so, that's an interesting shot across
the bow.

~~~
dbbk
This is actually really concerning to me. If they blocked Google Analytics, it
would severely damage that data. It'd be bad news for site owners who just
want to quantify their traffic.

~~~
icelancer
....so? Site owners are not guaranteed this access; their script runs on the
client computer.

I say this as someone who does a lot of analytical research and re-targeting
and would be hurt if this was rolled out on a larger scale; I just don't think
I have a right to the data.

~~~
ksk
Well, if don't care about things that prevent you from doing your job, then
what exactly is the point of working in that field?

~~~
Spivak
Imagine you were a police officer with this mentality.

"As someone who investigates lots of crimes, it's totally fine if someone
invokes the fifth amendment, I don't have the right to compel them to answer."

"I mean if you don't care about something prevents you from doing your job,
why even join the force?"

~~~
ksk
I don't have to "imagine" anything. Let me invite you to consider the context
of my original comment before coming up with ridiculous comparisons.

~~~
lovich
Doesn't seem that ridiculous a comparison to me. You don't have a right to
compel something from someone else, but that doesn't meant you just have to
give up at whatever task you are trying to accomplish

~~~
ksk
When I read a comment, the first thing I do is read the ones above it so I
understand the limited scope of the comment. I don't immediately rub my hands
with glee and go about compiling a list of situations to which the comment
doesn't apply. I guess that sort of thing appeals to some.

Complaining about losing data is in no way the same as assuming entitlement
status or forcing someone to do something. The job of a police officer is to
enforce laws, and exercise human judgement. The issue with the fifth amendment
would be handled by lawyers in courts, not by the officers on the ground. IT
jobs have completely different parameters. The comparison with police officer
is entirely irrelevant and as such I don't want to continue that discussion.

------
mmanfrin
The cynic in me sees this as cutting off Google, and then tracking within the
browser so they become the source of cross-internet tracking. I'd be on the
lookout for any new 'personalization' feature that comes in to the browser.
E.g. WWDC 2018: 'Today we're happy to announce Siri integration with safari!
She will provide personalized recommendations and results by applying machine
learning to your documents and data!'

~~~
atestu
They showed this on iOS Safari today:

> Siri now suggests searches in Safari based on what you were just reading.
> And when you confirm an appointment or a flight on a travel website, Siri
> asks if you want to add it to your calendar.

Search for "Smarter about you." on this page:
[https://www.apple.com/ios/ios-11-preview/](https://www.apple.com/ios/ios-11-preview/)
Looks like it's done on the device though, End-to-end encrypted with your
other devices.

------
floatboth
Firefox (Nightly at least, I don't follow stable :D) also has built-in
tracking protection, only in Private Browsing by default (about:config to
enable everywhere).

------
Eric_WVGG
It says a lot about the state of the web that both Apple and Google are
looking at publishers and saying "Look, if you won't fix your websites, we'll
fix them for you" (Google in the form of AMP on mobile devices). However, as
one of those who subscribes to the opinion that AMP breaks the web, I greatly
prefer Apple's approach.

It makes me wonder how many publishers at national newspapers and magazines
are even aware of what’s going on.

------
webuser321
It is well-known that Apple uses Omniture (acquired by Adobe, aka
SiteCatalyst, aka 2o7.net, etc.).

As in 192.168.0.2o7.net. Remember, "SWF" stands for Small Web File. Yes, they
actually tried to get users to swallow this when Shockwave Flash started to be
used in devious ways, such as to track users.

Omniture's business is third party tracking cookies similar to Google
Analytics or KISSmetrics. Not sure and don't care whether Flash is used so
much anymore. If too young to rememeber search and ye shall find information
about "permanent, Flash cookies" that could not be removed.

Apple is not saying "We will not engage with companies selling third party
tracking cookie services." Clearly they are not opposed to third party
tracking cookies in principle.

Instead they are announcing some change to their browser. Wow, exciting. It is
not clear what exactly this announcement accomplishes for users. Probably
nothing. If you are trying to avoid ads and tracking, popular browsers
(without extensions, etc.) are not your friends.

------
flukus
Advertisers will finally move their tracking behind their CDN's, which was
always the end goal for them and why they were free in the first place.

Then we have a problem where the industry is reliant enough on CDN's that
browsers can't simply block access.

~~~
yborg
[https://github.com/Synzvato/decentraleyes](https://github.com/Synzvato/decentraleyes)

~~~
eklavya
Not available for Safari though.

------
kgabis
Finally, I hope this becomes a common practice from other vendors as well.

------
hellofunk
It's unclear to me how these "trackers" work? How do they track you, is it
cookies, or what?

~~~
fjarlq
A decent overview:
[https://panopticlick.eff.org/about](https://panopticlick.eff.org/about)

Test your browser:
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

~~~
hellofunk
That site is interesting, and it shows you that 1 of X browsers resemble a
particular fingerprint ingredient.

I found this one rather interesting, it was the most unique of the ones
listed:

HTTP_ACCEPT Headers

One in several thousand have the same headers as me. But the headers
themselves are quite a small little string, I'm surprised it is that unique.

------
horsecaptin
For those who are technically inclined:
[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)

------
l0stkn0wledge
Yes, and in the same keynote, they let Siri track stuff down you 'might' be
interested in based on patch searching.

------
suyash
Thank you Apple for taking a stand for user's privacy.

------
MarkMc
I wonder if this could be good for Google because it has the money and
expertise​ to counter this move by Apple, while smaller ad networks do not.

------
jasonkostempski
Does Apple have access the data? Because that wouldn't be any better.

~~~
matt_wulfeck
Almost everything in the keynote happens on device (deep learning, etc).

------
659087
Glad to see a player big enough to cause some damage taking this up. At this
point, anything that harms Facebook/Google and those trying to mimic their
data collection tactics should be considered good for the web and internet.

------
binthere
Later they demoed they can track your interests in what you've read on the web
to show you personalized news on their news app and keyboard autocompletion.

~~~
andreyf
Which would be super creepy if they were a company which is beholden to
advertisers for their revenue. But alas, they are not.

~~~
oculusthrift
neither is MS but every thread about them seems to have a top comment crying
about telemetry

~~~
oliv__
Microsoft themselves put ads in their OS... I think that's pretty telling of
the kind of company they are.

------
quotemstr
Do you want crappy ads? Then go ahead, make tracking more difficult. Tracking
_helps_ you see ads for things you actually want to see. It's not some kind of
grand conspiracy.

~~~
kalleboo
I have yet to see the supposedly relevant ads that all this targeting is
supposed to get me. The closest to targeted I've gotten is seeing stuff I
already just bought on Amazon.

------
josefresco
"the web behaves as it always did"

Uhhh, not really. Even if the behavior is unwanted, the web will not "behave"
the same - otherwise the feature does nothing.

~~~
ceejayoz
They pretty clearly mean that the web behaves the same from the user's
perspective.

~~~
josefresco
For example: The user will no longer see the ads for items they may have
previously searched for (even if this is unwanted/unpopular) - that's a a
change. Sorry to be so pedantic but it's not accurate to say nothing behaves
differently.

------
webuser321
Meanwhile Apple is tracking users 24/7.

There is no option to turn off phoning home to Apple in Apple's pre-installed
operating systems. Every user of iOS is constantly pinging Apple servers _all
day every day_.

Connect an iOS device to the internet and watch the network. The user is given
no control over this. _All_ users are assumed to _need_ Apple's help setting
the system time.

The networking functionality of NeXT/Apple's operating systems is based on
open source BSD operating system code.

But BSD does not phone home to some organization when you install it. Why not?
Surely Apple's approach is the best one for _all_ users, right?

It is amusing to watch these companies proclaim they will block others from
tracking and serving ads while continuing to siphon user data themselves,
often in ways that are all but transparent to users. Apple can block everyone
else, then I can block Apple. OK by me.

Someone in this thread made some comment about Microsoft Edge not tracking
users. Do people seriously believe nonsense like that? MS was dumping debug
output via DrWatson to the network long before collecting user data for profit
was even a strategy.

Connect a Windows computer to the internet and watch the network. All on by
default. Unlike Apple, they have no prepared explanation/justification why
they need to do this.

And even if they did, who cares? Users prefer not to be tracked. Companies are
admitting they know this.

Users could opt-in to tracking if they believed they were getting some
benefit.

But that is not how this game works. There is no "opt-in". It is on by
default. There was no intention to make tracking a "choice".

Probably because companies know what the choice of users would be and it would
not be favorable to the company.

But that is not something we are allowed to discuss.

~~~
macintux
"But that is not something we are allowed to discuss"

I suspect you'd have fewer down votes (and thus perhaps some discussion)
without this. Congratulations on the self-fulfilling prophecy.

