Apple and iTunes: Encrypting traffic across the web is now mandatory, or nearly mandatory, as Apple chooses not to encrypt iTunes downloads.
You usually know when a page uses HTTPS encryption from the small green padlock on the left side of the URL line. If there is not the little padlock something happens. This was remarked by Disconnect researchers in iTunes and the Apple App Store.
Every time you download an app or update from the App Store or a movie, a TV show, or a song from iTunes, the download comes via HTTP without TLS.
This makes it at least theoretically easier for an internet service provider, hacker, or even someone on a shared Wi-Fi network to track your movements.
Note that every unencrypted download also includes one code created by Apple. It's called a Destination Signaling Identifier, and it's a unique device identifier generated by iCloud that changes periodically.
Disconnect researchers report that attackers could use DSIDs to track someone's habits or applications that uses.
"There is so much you can learn about someone by downloading an app" he says Patrick Jackson, Cisco's Disconnect, and a former NSA researcher.
Disconnect researchers reported the bug to Apple in September, highlighting their concerns. Apple replied that this is not an error and that downloads via HTTP are "expected". The response essentially confirms that the downloads are not encrypted, and according to the researchers, the company declined to comment further on the use of HTTP in the downloads.
While it is surprising that a company claiming to be in favor of privacy does not use secure connections, iOS researcher Will Strafach says he believes the non-use of TLS serves a specific purpose.
By sending downloads over HTTP instead of over encrypted connections, system administrators, especially in large enterprise environments, can create a sort of staging ground by caching large applications and files on their local network for faster distribution. This means they won't eat up bandwidth if an app, update, or other file is downloaded over and over on multiple devices. If connections were encrypted between Apple's servers and devices, the creation of an intermediate station offering temporary storage would not be possible.
However, Apple's specific behavior is not safe. Let's say if the above reason why the company does not add encryption to downloads, the friends of the company will have to think again about giving their money. Let's remind you that we are talking about one of the richest technology companies.
________________________
- TDSSKiller free Rootkit removal from Kaspersky
- Microsoft, Apple, Google, Facebook, Amazon and captivity
- Bugatti Chiron from Lego, it works normally!
