Safari's 'Intelligent Tracking Protection' is misspelled, says Google: It should be 'dumb browser stalking enabler'

Safari's 'Intelligent Tracking Protection' is misspelled, says Google: It should be 'dumb browser stalking enabler'

Chocolate Factory boffins doubt Apple can fix it, either


Google security researchers have published details about the flaws they identified last year in Intelligent Tracking Protection (ITP), a privacy scheme developed by Apple's WebKit team for the company's Safari browser.


In December, Apple addressed some of these vulnerabilities (CVE-2019-8835, CVE-2019-8844, and CVE-2019-8846) through software updates, specifically Safari 13.0.4 and iOS 13.3. Those bugs could be exploited to leak browsing and search history and to perform denial of service attacks.


But they're not quite fixed, according to Google's boffins. In a paper [PDF] titled, "Information Leaks via Safari's Intelligent Tracking Prevention," authors Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, and Roberto Clapis claim that the proposed mitigations "will not address the underlying problem."


And on Wednesday, Justin Schuh, Google engineering director for Chrome security and privacy, made a similar claim via Twitter. Google, he said, had found similar security flaws in a Chrome tool called XSS Auditor and had decided they were fundamentally unfixable.


"After several back and forths with the team that discovered the issue, we determined that it was inherent to the design and had to remove the code," he explained.


Schuh expressed skepticism that Apple will be able to salvage ITP. "They attempt to mitigate tracking by adding state mechanisms, but adding state often introduces worse privacy/security issues," he wrote.


The Register asked famously non-communicative Apple to weigh in. And ..