Put the knife down and take a green herb, dude. (c) Ruffin Bailey 2001-2021

From the “comprehensive FAQ” John Gruber links to regarding "How ‘Sign In with Apple’ Works:

From a security perspective, Apple offers a better option for both users and developers alike compared with other social login systems which, in the past, have been afflicted by massive security and privacy breaches.

Why would we believe Apple, whose fails keep on giving, is going to do any better than any other option? I mean, privacy-wise, I’m excited to have this option. But anyone who thinks any sign-in provider is going to give you 100% hack-free protection has another thing coming.

The advantage here is that, if Apple’s smart, a successful hack will get at most an Apple ID. And even that ought to be hashed. There’s no reason to expose any additional personal information as part of this scheme.

Also, btw, this is just flat wrong:

6) If I let Apple make up a random email address for me, does Apple now have the ability to read my email?

No. For those who want a randomized email address, Apple offers a private email relay service. That means it’s only routing emails to your personal inbox. It’s not hosting them.

Um, yes, Apple they can read your email as a relay service. Unless the email is encrypted, how can’t they? If you believe they’re not storing it, great, attack vector greatly reduced. But Apple, along with ANYONE else relaying your email from sender to your box can potentially read the contents of unencrypted text. And that’s all email typically is: Unencrypted text.

Email is inherently insecure. If you’re using https to transfer it, that’s great, but even then, Apple’s going to be on the other end of that https train. They will have the ability to read it, but it’d kill their “privacy” based marketing claims, so I’ll assume they’re being more careful than most companies with those zeroes and ones.

But if some nefarious admin at Apple wanted to read your relayed emails, they certainly could.

Labels: apple, gruber

title: Put the knife down and take a green herb, dude.	descrip: One feller's views on the state of everyday computer science & its application (and now, OTHER STUFF) who isn't rich enough to shell out for www.myfreakinfirst-andlast-name.com Using 89% of the same design the blog had in 2001.
FOR ENTERTAINMENT PURPOSES ONLY!!! Back-up your data and, when you bike, always wear white. As an Amazon Associate, I earn from qualifying purchases. Affiliate links in green.
x MarkUpDown is the best Markdown editor for professionals on Windows 10. It includes two-pane live preview, in-app uploads to imgur for image hosting, and MultiMarkdown table support. Features you won't find anywhere else include... MarkUpDown Multiline Table & Bootstrap Grid support. Beautiful Easy Actions that keep the Markdown flowing. HTML paste to paste HTML source into your documents. You've wasted more than $15 of your time looking for a great Markdown editor. Stop looking. MarkUpDown is the app you're looking for. Learn more or head over to the 'Store now!

Wednesday, June 12, 2019
Bogus Apple Sign-in FAQ from Grubes From the “comprehensive FAQ” John Gruber links to regarding "How ‘Sign In with Apple’ Works: From a security perspective, Apple offers a better option for both users and developers alike compared with other social login systems which, in the past, have been afflicted by massive security and privacy breaches. Why would we believe Apple, whose fails keep on giving, is going to do any better than any other option? I mean, privacy-wise, I’m excited to have this option. But anyone who thinks any sign-in provider is going to give you 100% hack-free protection has another thing coming. The advantage here is that, if Apple’s smart, a successful hack will get at most an Apple ID. And even that ought to be hashed. There’s no reason to expose any additional personal information as part of this scheme. Also, btw, this is just flat wrong: 6) If I let Apple make up a random email address for me, does Apple now have the ability to read my email? No. For those who want a randomized email address, Apple offers a private email relay service. That means it’s only routing emails to your personal inbox. It’s not hosting them. Um, yes, Apple they can read your email as a relay service. Unless the email is encrypted, how can’t they? If you believe they’re not storing it, great, attack vector greatly reduced. But Apple, along with ANYONE else relaying your email from sender to your box can potentially read the contents of unencrypted text. And that’s all email typically is: Unencrypted text. Email is inherently insecure. If you’re using https to transfer it, that’s great, but even then, Apple’s going to be on the other end of that https train. They will have the ability to read it, but it’d kill their “privacy” based marketing claims, so I’ll assume they’re being more careful than most companies with those zeroes and ones. But if some nefarious admin at Apple wanted to read your relayed emails, they certainly could. Labels: apple, gruber posted by ruffin at 6/12/2019 07:30:00 AM

<< Older \| Newer >>