iOS 13 與 macOS 10.15 對憑證的限制

Slack 上看到同事丟出來的,關於之後要推出的 iOS 13 與 macOS 10.15 會對憑證限制的項目:「Requirements for trusted certificates in iOS 13 and macOS 10.15」。

主要是把不安全的演算法淘汰掉 (RSA 小於 2048 bits,以及 SHA-1 類的 hash algorithm),這兩個部份相關的新聞應該不少,沒有什麼太大問題:

TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.

TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.

然後是要求憑證使用 SAN (Subject Alternative Name),舊的標準 CN (CommonName) 將不會再被信任。

如果是公開簽發的憑證應該都沒問題 (像是 Let's Encrypt,或是花錢買的那些),主要的問題應該會出現在自己建立的憑證,網路上蠻多舊資料還是產生 CN...

TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

另外是 2019/7/1 之後發出的憑證,有額外兩個規範要注意,第一個是強制要透過 EKU 指定 id-kp-serverAuth,這是出自 RFC 5280

   id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
   -- TLS WWW server authentication
   -- Key usage bits that may be consistent: digitalSignature,
   -- keyEncipherment or keyAgreement

TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.

再來是時間的限制,接下來的憑證最長只認得 825 天 (大約 27 個月多一些),以前都惡搞 -days 3650,現在得兩年簽一次了:

TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

整體看起來主要是影響自己簽的部份...

Apple 新的「Find My」帶來的隱私問題

這次 WWDC 推出的新功能,已經有人在討論機制與隱私問題了:「How does Apple (privately) find your offline devices?」。

前一代的「Find my iPhone」需要透過網路與 GPS 資料才能在系統上看到,這一代則是加上 BLE beacon,然後任何一台 iOS device 收到後就回傳回給蘋果:

Every active iPhone will continuously monitor for BLE beacon messages that might be coming from a lost device. When it picks up one of these signals, the participating phone tags the data with its own current GPS location; then it sends the whole package up to Apple’s servers.

幾個隱私問題在於,代傳的 iOS device 也會暴露位置資訊給蘋果,另外收到 BLE beacon 的 iOS device 本身是否可以解讀遺失機器的資訊?而商家看起來也可以利用這個方式主動發送攻擊而得知不少資料 (像是文章裡提到先前蘋果透過 randomize mac address 加強隱私的問題,這邊又多開了一個洞),現在蘋果給的資訊還不夠清楚,需要真的逆向工程確認才知道...

幫你的 iPhone 電話簿找到對應的頭像

前幾天看到的:「Announcing Vignette」,透過 social network 的資料,把本來電話簿裡面的 icon 更新:

透過 app store 的搜尋找不太到,我一開始用了「Vignette」搜不到,但用「Vignette Update」就可以。或者你可以透過他提供的連結直接開 app store:「Vignette – Update Contact Pics」。

這是一個 IAP 類的付費服務,搜尋是免費的,但如果要把資料更新回通訊錄,需要付 USD$4.99 (一次性),台灣帳號是付 TWD$170,應該是因為最近的稅務調整:

Vignette allows you to scan your contacts and see what it can find for free. If you wish to actually save these updates to your contact list, you must pay for a one-time in-app purchase. That purchase costs $4.99, is not a subscription, and is the only in-app purchase.

搜尋的範圍包括了 GravatarTwitterFacebookInstagram

Email is used for Gravatar
Twitter
Facebook
A custom network called Instagram

另外作者有提到這個 app 不傳資料到伺服器上,都是在自己的裝置上連到上面提到的 social network 尋找:

Privacy is paramount
All the processing is done on-device; this isn’t the sort of app where your contacts are uploaded en masse to some server, and out of your control.

所以速度不會太快,但對隱私比較好...

利用 Sensor 校正資訊產生 Device Fingerprint 的隱私攻擊

看到「Fingerprinting iPhones」這篇提出的攻擊,標題雖然是提到 iPhone,但實際上攻擊包括了 Android 的手機:

You are affected by this fingerprinting attack if you are using any iOS devices with the iOS version below 12.2, including the latest iPhone XS, iPhone XS Max, and iPhone XR. You are also likely to be affected if you are using a Pixel 2/3 device, although we hypothesise the generated fingerprint has less entropy and is unlikely to be globally unique. A SensorID can be generated by both apps and mobile websites and requires no user interaction.

目前 iPhone 升級到 12.2 之後可以緩解這個問題,Android 看起來還不清楚...

攻擊的方式是透過手機在出場前會使用外部的校正工具,找出手機內 sensor 所偵測到的值與實際值的差異,然後把這些資訊燒到韌體裡,當呼叫 API 時就可以修正給出比較正確的值。

而因為這些校正資訊幾乎每一隻手機都不一樣,而且不會因為重裝而變更 (即使 factory reset),加上還可以跨 app 與 web 追蹤,就成為這次攻擊的目標:

In the context of mobile devices, the main benefit of per-device calibration is that it allows more accurate attitude estimation.

資訊量其實相當大,透過 app 分析可以得到 67 bits entropy,透過網頁也有 42 bits entropy,而且不怎麼會變:

In general, it is difficult to create a unique fingerprint for iOS devices due to strict sandboxing and device homogeneity. However, we demonstrated that our approach can produce globally unique fingerprints for iOS devices from an installed app -- around 67 bits of entropy for the iPhone 6S. Calibration fingerprints generated by a website are less unique (~42 bits of entropy for the iPhone 6S), but they are orthogonal to existing fingerprinting techniques and together they are likely to form a globally unique fingerprint for iOS devices.

We have not observed any change in the SensorID of our test devices in the past half year. Our dataset includes devices running iOS 9/10/11/12. We have tested compass calibration, factory reset, and updating iOS (up until iOS 12.1); the SensorID always stays the same. We have also tried measuring the sensor data at different locations and under different temperatures; we confirm that these factors do not change the SensorID either.

目前提出來的解法是加入隨機值的噪音 (iOS 的作法),不過作者有建議預設應該要關閉 js 存取 sensor 的權限:

To mitigate this calibration fingerprint attack, vendors can add uniformly distributed random noise to ADC outputs before calibration is applied. Alternatively, vendors could round the sensor outputs to the nearest multiple of the nominal gain. Please refer to our paper for more details. In addition, we recommend privacy-focused mobile browsers add an option to disable the access to motion sensors via JavaScript. This could help protect Android devices and iOS devices that no longer receive updates from Apple.

不過當初這群人怎麼會注意到的...

修正 Mac 外接螢幕的 Underscan 問題

公司的 MacBook Pro (13-inch, 2017, Two Thunderbolt 3 ports) 透過 HDMI 接 Dell P2419H 一直都有 Underscan 的問題:


出自「About overscan and underscan on your Mac, Apple TV, or other display

本來想透過 Underscan slide 修改 (像是下面這張圖),但發現系統內沒有 Underscan slide。


出自「About overscan and underscan on your Mac, Apple TV, or other display

找了不少文章後後來是在「Fixing Issues with Overscan/Underscan(Black Borders) on macOS」這篇的 comment 看到解法:

Ran into this same underscan problem with black borders showing up on my new Dell 24-inch Ultrasharp U2415 connected to a 2013 Macbook Air running High Sierra, and after hours of looking into the problem the fix turned out to be super simple:

Just restart in Safe Mode.

That’s it. Restart your Mac in Safe Mode (restart, hold down the Shift key after the Apple BONG sounds, then restart normally once again for good measure. I don’t know what this clears or resets but it worked for me. No more letterboxing or black borders with the native 1920×1200 resolution selected.

So maybe something to try first for anyone coming across this post.

照著重開進 Safe mode 後再開回一般模式就正常了 (what???),先記錄起來,讓我之後遇到時可以搜尋到自己的文章...

Spotify 向歐盟投訴 Apple Music 的不公平競爭

Spotify 向歐盟提出不公平競爭的投訴,並且發出新聞稿:「Consumers and Innovators Win on a Level Playing Field」。

重點在於 Spotify 服務透過蘋果的平台會有 30% 的抽成,但 Apple Music 因為自家服務而不需要:

To illustrate what I mean, let me share a few examples. Apple requires that Spotify and other digital services pay a 30% tax on purchases made through Apple’s payment system, including upgrading from our Free to our Premium service. If we pay this tax, it would force us to artificially inflate the price of our Premium membership well above the price of Apple Music. And to keep our price competitive for our customers, that isn’t something we can do.

不過裡面好像沒提到超過一年後的費用會降到 15% (參考「Auto-renewable Subscriptions」),應該會是蘋果向歐盟回應的重點?

所以蘋果開始放鬆 iPhone 的第三方電池保固問題了?

MacRumors 上看到的,先前只要透過第三方更換電池,蘋果就會拒絕後續所有保固,現在內部文件改成不保固電池的部分,其他的元件還是會提供保固:「Apple Says iPhones With Third-Party Batteries Now Eligible for Repairs」。

iPhones with aftermarket batteries installed by third-party repair shops are now eligible for service at Genius Bars and Apple Authorized Service Providers, according to an internal Apple document obtained by MacRumors from three reliable sources.

不確定是不是全球性的,但至少法國已經是了?

突然想到『FTC 警告 Nintendo 與 Sony「拆封喪失保固」違反聯邦法』這篇,雖然兩者討論的主題不太一樣...

WireGuard 上 macOS 了...

在「WireGuard for macOS」這邊看到 WireGuard 進到 Apple 家的 Mac App Store 了。

除了是透過 app store 下載外,另外的重點在於整合了 NetworkExtension API

This is built from the same code base as our existing iOS app and makes use of Apple's Network Extension API to provide native integration into the operating system's networking stack.

這樣可以確保相容性,而且可以用內建的 VPN 機制管理。另外也給了一些 screenshot 可以看,可以看出來就是走 Mac 上的管理方式:

Apple 將移除掉 Safari 的 DNT 功能

在「Apple Removes Useless 'Do Not Track' Feature From Latest Beta Versions of Safari」這邊看到的,看起來包括 iOSmacOS 都會移除:

因為沒什麼單位願意遵守,沒必要多送幾個 bytes 還順便讓廣告商可以判斷...