Apple and iTunes: The encryption of traffic across the web is now mandatory, or almost mandatory, as Apple chooses not to encrypt downloads from iTunes.
You usually know when a page uses HTTPS encryption from the small green padlock on the left side of the URL line. If there is not the little padlock something happens. This was remarked by Disconnect researchers in iTunes and the Apple App Store.
Every time you download an app or update from the App Store or a movie, a TV show, or a song from iTunes, the download comes via HTTP without TLS.
This makes it at least theoretically easier for an internet service provider, hacker, or even someone on a shared Wi-Fi network to track your movements.
Please note that each unencrypted download also includes an Apple-created code. Called Destination Signaling Identifier, it is a unique device ID generated by iCloud and periodically changed.
Disconnect researchers report that attackers could use DSID to track one's habits or the applications he uses.
"There is so much you can learn about someone by downloading an app" he says Patrick Jackson, Cisco's Disconnect, and a former NSA researcher.
Disconnect researchers reported the bug to Apple in September, highlighting their concerns. Apple replied that this is not an error and that downloads via HTTP are "expected". The response essentially confirms that the downloads are not encrypted, and according to the researchers, the company declined to comment further on the use of HTTP in the downloads.
While it is surprising that a company claiming to be in favor of privacy does not use secure connections, iOS researcher Will Strafach says he believes the non-use of TLS serves a specific purpose.
By sending HTTP downloads instead of encrypted connections, system administrators, especially in large business environments, can create a kind of station by temporarily storing large applications and files on their local network for faster delivery. This means they will not consume bandwidth if an application, an update, or another file goes down again and again on multiple devices. If the connections were encrypted between Apple's servers and the devices, creating a buffer that offers temporary storage would not be possible.
However, Apple's specific behavior is not safe. Let's say if the above reason why the company does not add encryption to downloads, the friends of the company will have to think again about giving their money. Let's remind you that we are talking about one of the richest technology companies.