Apple previewed the latest version of its desktop operating system, macOS Mojave, and an updated Web browser, Safari 12, at WWDC, its annual developer conference. Apple says enhancing privacy and security is a top priority for these releases.
Safari 12 offers additional “smart tracking prevention” and automatic creation and storage of strong passwords. MacOS Mojave (and iOS 12) limits third-party access to device configurations, reducing device “fingerprints” from being used for tracking purposes, and apps require user authorization to use Mac cameras, speakers, or access private data like email history and message databases.
Web sites can get resources like images and scripts from outside their domain name, called cross-domain or cross-site loading, and it’s a powerful Web feature. However, such retrieval can also lead to users being tracked across sites. Since June 2017, WebKit, the open source Web browser engine used by Safari (and many other apps on macOS, iOS, and Linux), has provided intelligent Tracking Prevention (ITP). The original version 1.0 of ITP reduced cross-site tracking by limiting and periodically clearing browser cookies and other site tracking data. For example, during the first 24 hours of interacting with a website, the associated Cookie cannot be used in a third-party environment and is said to be “partitioned.” After 30 days, the Cookie is deleted.
ITP version 1.1, released in March 2018, further enhances trace prevention by disallowing “delimited” Cookies to persist to disk and freezing them completely if identified as candidates for immediate cleanup. The release also introduces the Storage Access API, which allows “nesting of authenticated content” while protecting customer privacy by default. At its core, the Storage Access API provides a mechanism for nested third-party content to bypass Cookie separation through user interaction.
Safari 12 introduced ITP 2.0, which removes the 24-hour window for Cookie reuse by third parties and instead immediately separates cookies for domains identified as having tracking capabilities. ITP 2.0 will also prompt the Storage Access API implementation for WebKit. If the user gives access, their choice is kept forever. If the user refuses, their choice is not permanent, and they can change their mind if they later want to take advantage of a similar embedded widget that calls the Storage Access API. This feature prevents third-party “comment sections” or “like buttons” from being embedded in Web pages because they can access Cookie data without explicit user interaction and validation.
As Previously reported by InfoQ, Firefox has also released an extension that it claims provides itP-like functionality to block businesses from listening to users’ non-Facebook Web traffic without their consent.
Safari 12 has other features as well. The browser can now automatically create, auto-fill and store strong passwords when users create new online accounts. It marks reused passwords so that users can change them.
At WWDC, Microsoft also announced several new data protection features in macOS Mojave and iOS 12. These features require the App to obtain user authorization to use Mac cameras and speakers, or to access private data such as mail history and message databases, or to access sensitive parts of the file system.
MacOS Mojave makes it harder for trackers to create unique “fingerprints” and content-based tracing features that can be used to uniquely identify a device in addition to existing cookies. Craig Federighi, SVP of Software Engineering, addressed this issue in his keynote:
Reducing the effectiveness of fingerprints would require individual devices to infiltrate the crowd. This can be done by showing simplified system configuration only to external viewers, showing only the built-in fonts, and removing support for legacy plug-ins (outside of the Safari extension library) so that they cannot be used to generate fingerprints. “Eventually, your Mac will look a lot like everyone else’s Mac,” Federighi said.
MacOS Mojave will be released to the public later this year. Safari Tech Preview 58 for macOS High Sierra is now available for download, and with this release, Safari Preview is available on macOS Mojave Beta.
Privacy and Security a Top Priority in macOS Mojave and Safari 12