Recommend not using Fraudulent Website Warning (conditionally)

privacyguides / privacyguides.org

Protect your data against global mass surveillance programs.

https://www.privacyguides.org

Creative Commons Attribution Share Alike 4.0 International

2.8k stars 209 forks source link

Recommend not using Fraudulent Website Warning (conditionally) #1964

Closed ghost closed 1 year ago

ghost commented 1 year ago

Description

Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Apple to check if the website is fraudulent. For users with China mainland set as their region in Settings > General > Language and Region, Safari may also use Tencent Safe Browsing to perform this check. The actual website address is never shared with the safe browsing provider. Google (and, for users with China mainland or Hong Kong set as their region, Tencent) may also log your IP address when information is sent to them. You can disable Fraudulent Website Warnings in Safari anytime by going to Settings > Safari, then tapping to turn off Fraudulent Website Warning.

This could be possibly left on if the search engine was not using Google, and the region is not set to China mainland or Hong Kong.

Source: https://www.apple.com/legal/privacy/data/en/safari/

URL of affected page: https://www.privacyguides.org/mobile-browsers/#safari

ghost commented 1 year ago

I'm happy to put a PR together for this one @mfwmyfacewhen, I just need to know the angle PG wants to go in on this one.

ghost commented 1 year ago

Yeah might be worth mentioning. But yeah there should be a warning letting people know it hurts security to disable it.

ghost commented 1 year ago

I think it should be more of a note than a recommendation in this instance, and should come down to threat modelling.

Something along the lines of it's recommended to have it enabled (which it is by default), however those who live in Hong Kong/Mainland China may want to consider disabling it based on their own threat modelling.

ghost commented 1 year ago

Definitely, feel free to whip up a PR and I'll look it over.

dngray commented 1 year ago

may also log your IP address when information is sent to them

Can we find out what information is sent? If this is simply getting a list of suspect websites and the IP is disclosed in the connection to the server to get the list then I don't think this is an issue.

In regard to disclosing the IP address, our only recommendation here is to either use VPN/Tor, and not try to attempt to block disclosure by "avoiding" certain companies.

ghost commented 1 year ago

Looking at this again, I don't really think this is a problem since the actual address isn't sent. Gonna close this.

jonaharagon commented 1 year ago

For future reference, what is sent to the provider is a hash prefix based on the beginning of the address, it works similarly to how HIBP's Pwned Passwords service works.

quackerex commented 1 year ago

I think apple also proxy the traffic. source: https://twitter.com/othermaciej/status/1359736220809531393