Archive for November 11, 2022

Friday, November 11, 2022

An Untrustworthy TLS Certificate in Browsers

Cory Doctorow (via Bruce Schneier):

Yesterday, the Washington Post’s Joseph Menn published an in-depth investigation into Trustcor, a certificate authority that is trusted by default by Safari, Chrome and Firefox:

Menn’s report is alarming. Working from reports from University of Calgary privacy researcher Joel Reardon and UC Berkeley security researcher Serge Egelman, Menn presented a laundry list of profoundly disturbing problems with Trustcor[…]


Today, learning that the CA-vetting process I’d blithely assumed was careful and sober-sided is so slapdash that a company without a working phone or a valid physical address could be trusted by billions of browsers, I feel like I did when I decided not to fill my opioid prescription.

AirDrop “Everyone” Limit in China

Filipe Espósito:

Apple today released iOS 16.1.1 for all users. While the release notes for the update say nothing about new features or major changes, there’s a significant one coming for users in China.

Jess Weatherbed:

Apple has placed time restrictions on AirDrop wireless file-sharing across iPhones in China after the feature was used by protesters to share images opposing the Chinese government, Bloomberg reports.

The “Everyone” option in Airdrop is now limited to a ten-minute window for users in China. After the ten minutes have passed, AirDrop’s device-to-device sharing will switch back to “Contacts Only,” making it harder to distribute content to strangers en masse. These new time restrictions have been introduced by Apple just weeks after the service was used to spread posters opposing president Xi Jinping.

Nick Heer:

A weird quirk of this change is that, absent the above context, adding a timeout to the “Everyone” setting for AirDrop is actually a good idea. Some people have reported receiving unwanted AirDrops in public, a story which CNBC illustrated with a stock photo of a “senior man surprised at tablet”. Indeed, Apple told Mark Gurman of Bloomberg that it will be rolling out the feature for all iPhones — but it would not say why this change was added to a routine security update only for users in China.


Update (2022-11-30): Tibor Martini (via Hacker News):

Apparently a lot of chinese dissidents used AirDrop to share information (because you don’t need internet for it and thus it can’t be censored).

John Gruber:

You don’t have to be Kreskin to surmise that Apple made this change at the behest of the CCP.

iOS 16.1.1 and iPadOS 16.1.1

Juli Clover:

iOS 16.1.1 fixes a few unspecified bugs that iPhone users have been dealing with, according to Apple’s release notes. Users have been afflicted with widespread Wi-Fi bug, for example. The Wi-Fi bug resulted in random disconnects, with some users unable to stay connected to their Wi-Fi networks.

It is not clear if the Wi-Fi bug is fixed as Apple did not provide a specific list of bug fixes, instead only saying that the update “includes bug fixes and security updates.”


macOS 13.0.1

Juli Clover (full installer, IPSW):

macOS Ventura 13.0.1 is a bug fix update, and it addresses two security vulnerabilities that could allow for unexpected app termination or arbitrary code execution by a remote user. Neither was known to have been exploited in the wild.


Appears that macOS Ventura 13.0.1 has fixed the Endpoint Security Framework (ESF) Full Disk Access (FDA) permission bug.

Howard Oakley:

Ventura has also brought considerable improvements in the time taken to update, but only, as far as I’m aware, on Apple silicon Macs. Although I haven’t timed this accurately, the 13.0.1 update delivered entirely from my Content Caching server took just under ten minutes, from the start of download to the reappearance of the Desktop and Finder. On a Ventura VM with only four vCPUs running on a Mac Studio Max, from the completion of downloading to the login screen took less that 7.5 minutes, including a ’30 minutes’ preparation period that took about 4 minutes.

Once downloading had finished to my iMac Pro, I had time for a leisurely dinner while it completed its update, I guess taking at least 45 minutes.