> They are a threat model for your wallet, which some people consider a threat model.
Using a VPN adds reliability and performance issues but it doesn't prevent this kind of basic identification and very, very few people aren't going to leave some kind of far more identifying cross-site activity which would uniquely identify them rather than just narrowing it down to one of the most popular consumer brands. The underlying issue here is that the kinds of things you're worried about happen in the browser. Even if your VPN connection has 100% uptime they can do the traffic analysis I mentioned but since it's almost certain that there will be some non-VPN requests they would already know that you have at least one Apple device. Similarly, the Verizon super-cookie header wouldn't affect HTTPS traffic (this was one of the motivations behind HTTPS-everywhere campaigns since even many people who think the NSA can track them no matter what mind marketers doing it) and the point was tracking individual people across multiple devices, not simply gross device fingerprinting. This was driven by looking at the User-Agent header your browser sends on every request, not sniffing your local network connection. > Capital One used to offer different mortgage rates to IE users and Firefox users None of those are a threat model and if you think about them for a minute you can understand why they aren't relevant. > So one can conclude that PF rules are applied first, then the rules for Application Firewall.
> If two firewalls, Application Firewall & PF, are both running, you may wonder whose rules take precedence. I did a minimal amount of searching and found this now-relevant gem: I'm actually surprised MacOS even has PF (apparently since 2015, enhanced from other BSD implementations). It's there because Apple decided to build on BSD. it might break things in weird ways and also they implicitly trust us already because we make their OS".Įngineers on the application firewall team: "ok cool, we'll disable users from blocking Apple apps".Īny freedom you're enjoying with PF isn't there because Apple decided it was a good idea. Product: "so we can't let users block our own apps. I think the reality is probably closer to this: I want to agree with your optimistic view of this, but I can't, because I don't think reason was used in making the decision. > Honestly this seems entirely reasonable Is there anything at all an ISP or attacker could snoop on outside your VPN that could ever be genuinely threatening or privacy-invading? Or is there a worry that we don't have a definitive answer to this because nobody's catalogued everything Apple sends and looked for privacy vulnerabilities? When I think of normal uses for VPN's - security for online work and communications, evading censorship, bypassing geo blocks - these would all seem to be entirely unaffected. I am curious though: can anyone think of any real-world scenario where it's a genuine problem that Apple traffic isn't routed through the VPN? Kind of the same way applications can't overwrite system files either. In that context, it seems to make more sense for Apple to exempt its own critical services (like malware detection and security updates). It hadn't been clear from previous reports that they all have to do with content-level filtering and VPN's. The fact that packet-level firewalls work is reassuring. This makes me feel somewhat better, honestly.
0 kommentar(er)
