Safari 將會禁止長效憑證 (超過 398 天,大約十三個月)

在「Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months」這邊看到的,這次是 Safari 直接發難要幹掉長效憑證。

今年九月前發的憑證是照既有的協議,最長長度是 825 天 (大約 27 個月),但九月開始發的憑證,如果有效長度超過 398 天就會直接被 Safari 視為無效,所以大約是砍半,其他家瀏覽器不知道會不會跟進...

最早的時候可以直接買五年 (有印像是因為當年的 group.nctu.edu.tw 是我自己買的),後來好像降到三年,最近是兩年,看起來要變成一年了...

蘋果的導流方案:Apple Edge Cache

Hacker News Daily 上看到蘋果的「Apple Edge Cache」這個服務,看起來就是個自家的 CDN 方案。

網路要求最低要能夠 peak 到 25Gbps 不算低,不過以蘋果的用量來說應該不算是高估:

Minimum 25 Gb/s peak traffic across all Apple traffic.

各家 ISP 應該都會考慮,畢竟 iPhoneiPad 的數量可不是假的,所以目前在台灣測到的點都是台灣的機房 (看 ping latency)...

另外一個有趣的事情是 SSL 的部份,從 SSL Labs 的資料可以看到一些有趣的東西:「SSL Report: cache.edge.apple (17.253.119.201)」。

一個是蘋果跟 GeoTrust 買了 Intermediate CA 再簽自己的 AEC 服務,另外一個是同時有 RSA 2048 bits 與 EC 256 bits 的 key,然後是支援 TLS 1.3 了。

跟其他內容業者的玩法類似,像是 NetflixOpen Connect

FBI 手上的 GrayKey 可以解 iPhone 11 Pro Max

在「FBI Successfully Unlocks iPhone 11 Pro in Ohio, Casting Doubt on Claims it Needs Apple's Help in Florida Mass Shooter Case」這邊看到的消息,看起來 FBI 手上的 GrayKey 可以解開 iPhone 11 Pro Max 了...

先前 GrayKey 只有舊型的可以解,像是之前揭露的 iPhone 5 或是 iPhone 7,現在看起來找到新的漏洞可以打穿新的版本,所以升級了:

Forbes has previously revealed a GrayKey brochure that showed it worked on older devices, and the two iPhones acquired by the FBI in the most recent Pensacola case are an ‌iPhone‌ 5 and an ‌iPhone‌ 7, which strongly suggests that investigators are already capable of unlocking them.

魔與道的競爭...

Webkit 的「反追蹤反追蹤」功能...

第一次看到標題的時候的確是 WTF 的感覺,愈來愈感覺到大戰的開始:「Preventing Tracking Prevention Tracking」。

在蘋果的平台上有 Intelligent Tracking Prevention (ITP) 功能,但先前這個功能比較簡單,所以還是有很多地方可以被當作 browser fingerprint 的一部份分析,所以蘋果決定改善,然後在新版的軟體裡引入:

This blog post covers enhancements to Intelligent Tracking Prevention (ITP) included in Safari on iOS and iPadOS 13.3, Safari 13.0.4 on macOS Catalina, Mojave, and High Sierra.

包括了跨站台時 Referer 的省略:

ITP now downgrades all cross-site request referrer headers to just the page’s origin. Previously, this was only done for cross-site requests to classified domains.

然後後面三個改善都跟 3rd-party cookie 有關,其中預設擋掉帶 cookie 的 3rd-party requests 應該會讓一些網站掛掉:

ITP will now block all third-party requests from seeing their cookies, regardless of the classification status of the third-party domain, unless the first-party website has already received user interaction.

早期自己做自家 SSO 的奇技淫巧中,會設計出透過 ajax 打多個不同的網域自動登入,看起來應該會需要檢查了...

Safari 上 uBlock Origin 的情況

uBlock Origin 在 2016 的時候 porting 到 Safari 上,但在 2018 後就沒有再更新了,維護者在「Explanation of the state of uBlock Origin (and other blockers) for Safari #158」這邊說明了目前的情況。

主要就是蘋果要廢掉本來的 Extension API,而替代的框架裡沒有對應的 content filtering 能力,所以在新的框架內無法實做 uBlock Origin 的功能...

維護者的建議是換瀏覽器,但其實可以選擇的瀏覽器愈來愈少了 (因為 Google Chrome 這邊也在搞),所以維護者的建議就是換成 Firefox

另外我自己會建議用看看 Brave,因為 Brave 已經決定,如果 Google Chrome 修改 webRequest 的阻擋能力 (也就是這次的 Manifest V3),他們會繼續維持本來的相容性,所以可以預期 uBlock Origin 應該還是會動 (參考之前寫的「Brave 試用」這篇)。

iOS 上的 Yubikey

在「Yubico iOS Authentication Expands to Include NFC」這邊看到 iOS 13 上對於 NFC 類的 MFA 會有的進展。

主要是因為之前的 NFC 只有讀取能力,所以 U2F/FIDO2/WebAuthn 之類的應用沒有辦法套用上去:

Previously, NFC on iOS was read-only, which meant that it couldn’t support modern authentication protocols like FIDO U2F, FIDO2/WebAuthn that require both read and write capabilities – but now that has changed.

iOS 13 後開放了 API 可以讀寫,所以有辦法支援這些協定了:

With these recent updates, iPhone users (running iOS 13+) can experience mobile NFC authentication with a YubiKey 5 NFC or Security Key NFC by Yubico on apps and browsers that have added support.

對於主力放在 Apple Ecosystem 的人,總算是等到了...

Apple 對 Tracking 機制的宣言 (宣戰)

Apple 透過 WebKit 的 blog 公佈了對 tracking 技術的宣言 (或者說「宣戰」):「Announcing the WebKit Tracking Prevention Policy」,完整的文件在「WebKit Tracking Prevention Policy」可以看到。

相關的報導可以參考「Apple will soon treat online web tracking the same as a security vulnerability」。這篇會這樣下標題主要是這點:

We treat circumvention of shipping anti-tracking measures with the same seriousness as exploitation of security vulnerabilities.

不過技術上還是很困難,現在在瀏覽氣上有太多方式可以被拿來追蹤分析。

另外也不用認為蘋果是什麼善類,他只是不太靠廣告賺錢,所以會決定站出來把隱私保護當產品在推銷,哪天有什麼奇怪的特例跑出來的時候也不用太意外...

Apple 提供蝴蝶鍵盤免費維修 (全球性)

翻到文章的最後面可以看到「Information as of 2019-05-21」,不過剛剛才在 Hacker News 上看到這則消息:「Apple's service program for butterfly keyboard MacBooks, even out of warranty (support.apple.com)」,官方網站的說明在「Keyboard Service Program for MacBook, MacBook Air, and MacBook Pro」這邊:

Apple has determined that a small percentage of the keyboards in certain MacBook, MacBook Air, and MacBook Pro models may exhibit one or more of the following behaviors:

  • Letters or characters repeat unexpectedly
  • Letters or characters do not appear
  • Key(s) feel "sticky" or do not respond in a consistent manner

Apple or an Apple Authorized Service Provider will service eligible MacBook, MacBook Air, and MacBook Pro keyboards, free of charge. The type of service will be determined after the keyboard is examined and may involve the replacement of one or more keys or the whole keyboard.

機型從 MacBook (Retina, 12-­inch, Early 2015) 到最近的都有,可以從系統選單上面看到。時間上只要是售出四年內都包含在內,而且先前如果有因為鍵盤維修的也可以試著申請退費:

This worldwide Apple program does not extend the standard warranty coverage of your Mac notebook.

If you believe your Mac notebook was affected by this issue, and you paid to have your keyboard repaired, you can contact Apple about a refund.

The program covers eligible MacBook, MacBook Air, and MacBook Pro models for 4 years after the first retail sale of the unit.

謠言說蘋果要將蝴蝶鍵盤退役...

9to5Mac 的報導說 Apple 要改用剪刀式的設計:「Kuo: Apple to include new scissor switch keyboard in 2019 MacBook Air and 2020 MacBook Pro」。


取自「File:Scissor switch mechanism.svg」這頁。

Apple is apparently set to ditch the butterfly mechanism used in MacBooks since 2015, which has been the root of reliability issues and its low-travel design has also not been popular with many Mac users.

In a report published today, Ming-Chi Kuo says that Apple will roll out a new keyboard design based on scissor switches, offering durability and longer key travel, starting with the 2019 MacBook Air. The MacBook Pro is also getting the new scissor switch keyboard, but not until 2020.

還沒真的放出來前都不能確認...