Apple Clarifies Tencent's Role in Fraudulent Website Warnings, Says No URL Data is Shared and Checks are Limited to Mainland China

[hans1972]

do Edge, Firefox, Opera doing this with Tencent?

Well, Opera is owned by a Chinese consortium.

Firefox are using Google Safe Browsing AFAIK. There is a Chinese version of Firefox and who knows that it is doing.

Microsoft has its own service, which probably Edge uses.

But the question is, what are these browsers doing in China?

 

[matrix07]

and for devices with their region code set to mainland China, it receives a list from Tencent.

?
Re-enabled the function again.

 

[JimmyHook]

There literally is no privacy issue with how they do their check

 

[matrix07]

Overblown reporting over a misinterpretation of Apple’s wording with no comment requested from Apple? You don’t say.

but it’s Apple own fault. They could have been this clear in T&A but they chose to make it obscure. If they said Chinese iPhone will send to Tencent nobody will freak out this much.

 

[sakurarain]

Luckily Tencent is much better than the Baidu. Baidu is the real evil-maker in China.

 

[redpandadev]

Then Apple, please explain why you need to send my IP address when you do send data?

There are two potential workarounds for this - first would be for you to use a VPN, which would only give them your masked IP address. If you are concerned about someone having your IP address you should be doing this already. Your IP address doesn’t have to be “sent” - it is automatically known by any other computer you connect to.

The alternative would be for Apple to act as a proxy for these lists. Have an Apple server do the reaching out (and therefore the providers only get the IP of an Apple server) and then have Safari only communicate with Apple.

 

[jonblatho]

but it’s Apple own fault. They could have been this clear in T&A but they chose to make it obscure. If they said Chinese iPhone will send to Tencent nobody will freak out this much.

It’s not Apple’s finest hour in terms of wording; not the first time, won’t be the last. But MacRumors published a sensational story with the title “Apple Sending User Data to Chinese Company for Fraudulent Website Warnings in Safari” — a headline drawing quite the conclusion considering Apple’s statement here — without any indication that they had reached out to Apple for comment, as any sensible journalist would. People tend to draw their conclusions based on headlines above a more nuanced story, and again, that was quite the headline they had there.

At this point, it's difficult to know for sure whether Apple users residing outside of China are having their data sent to Tencent, but the company appears to be mentioned on iPhones and iPads registered in the U.S. and the U.K., and possibly in other countries, too.

Then ask! I get that MacRumors isn’t a pinnacle of journalism by any stretch, but that’s just laziness. Even if the story had to be run before receiving comment from Apple — and it’s certainly not like MacRumors has to deal with print deadlines — a simple “We reached out to Apple for comment but have yet to receive a response” would have sufficed in the interim, because otherwise it appears that some directly false statements or implications were made in the original article.

Of course, I doubt we’ll see an update and correction on the original story, but I’d love to be pleasantly surprised.

 

[macfacts]

AFAIK every major browser implements this service, for years.

If every browser does it, why pay the apple tax to use safari?

 

[macfacts]

Sending the hashed values of suspicious URLs to Google is in no way "sharing your browsing history" with the company. Do you understand that there's no way for Google to take that hash and derive the URL from it? It's a one-way transformation. ...

Browsing history consists of a time and a location. Using a 1 way hash means nothing when the valid input to that hash function is a finite list of values, consisting of valid domain names, the prefix. Google can just make a lookup table. Google just has to take a list of all domain names and apply the hash function on them then google has a list of possible hash values to compare to.

Imo, the valuable info is knowing what domains you visit, not the specific web page. Knowing you visited some web page on CNN.com is not much more valuable than knowing you visit CNN.com

When your browser looks up this info, google can record when that happens. Looks like google has your browsing history now.

 

[Nugget]

When your browser looks up this info, google can record when that happens. Looks like google has your browsing history now.

No they can’t, you are fundamentally misunderstanding how it works. Please reread my post and pay closer attention to the distinction between the hash and the hash prefix.

The hash is constructed from the full url, not just the domain name. URLs with the same domain name do not produce similar hashes, and there’s no way to derive the domain name from the full hash. But that doesn’t matter because...

The full hash is never sent. The partial hash prefix is not vulnerable to a lookup table and is only sent if there is a match with the prefix database.

Imo, the valuable info is knowing what domains you visit, not the specific web page. Knowing you visited some web page on CNN.com is not much more valuable than knowing you visit CNN.com

Then I trust you will be relieved to learn that there is no circumstance where google can determine what domains you are browsing through your interactions with the safe browsing api.

 

[I7guy]

And for everyone else the data is sent to Google servers, the same google apple constantly tries to scare apple users of

The same google that finds security flaws in others software.
[automerge]1571108491[/automerge]

Browsing history consists of a time and a location. Using a 1 way hash means nothing when the valid input to that hash function is a finite list of values, consisting of valid domain names, the prefix. Google can just make a lookup table. Google just has to take a list of all domain names and apply the hash function on them then google has a list of possible hash values to compare to.

Imo, the valuable info is knowing what domains you visit, not the specific web page. Knowing you visited some web page on CNN.com is not much more valuable than knowing you visit CNN.com

When your browser looks up this info, google can record when that happens. Looks like google has your browsing history now.

No they don’t. I’ve turned this check off and others. That’s of course assuming google stores this info, but you have as much admitted google is as sleazy as you say.

 

[macfacts]

No they can’t, you are fundamentally misunderstanding how it works. Please reread my post and pay closer attention to the distinction between the hash and the hash prefix.

The hash is constructed from the full url, not just the domain name. URLs with the same domain name do not produce similar hashes, and there’s no way to derive the domain name from the full hash. But that doesn’t matter because...
...

Look at the link you provided. Step 2 splits the url into a suffix and prefix. Step 3 uses the hash function on both the prefix and suffix.

 

[Nugget]

Look at the link you provided. Step 2 splits the url into a suffix and prefix. Step 3 uses the hash function on both the prefix and suffix.

You are misreading the specification. The suffix and prefix are used because canonicalization rules differ when working with domain names compared to The path portion of an URL. The spec also requires multiple canonicalized full URLs to be hashed to account for ambiguities in the way that URLs and hostnames can be parsed. The url is reconstructed in full form before the SHA256 hash is calculated.

Pay attention to every time the API documentation specifically refers to the “full-length hash”

There is no way for the hash that is calculated — or the hash prefix that is transmitted — to divulge the hostname portion of the URL. At no point in the process is the domain name or a hash of the domain name transmitted to a third party.

 

[carestudio]

can apple provides all these services that Google or tencent company had provided? i am surprised that people trust google more than tencent lol. In my opinion, both are collecting your data and making money from your data like FB. oh, tencent probably doesnt have to make money, China gov supports them and behind them. lol

 

[ulyssesric]

Hmm. So, Tencent is where Apple goes for Chinese phones? I mean, that makes sense.

Seriously answering your question. Tencent is the unofficial avatar of PRC government in IT realm. Foreign enterprise is forbidden to provide their own services in China without a China enterprise participant. And whenever foreign IT enterprises need a partner or shareholder for the local subsidiary, Tencent is the only candidate.

China is not a normal capitalism society but China-capitalism society. Don't forget that.

 

[ulyssesric]

can apple provides all these services that Google or tencent company had provided? i am surprised that people trust google more than tencent lol. In my opinion, both are collecting your data and making money from your data like FB. oh, tencent probably doesnt have to make money, China gov supports them and behind them. lol

Not in China. Foreign enterprise can provide service to users in China only when a China enterprise is participated in operation, either as co-operator or stockholder. That's PRC's game rules and you have to follow their rules if you want to do business in China.

 

[katewes]

How is it "hugging with China" if literally the only people that (voluntarily) deal with the Chinese provider are... people in China?

Hey, jsmith189, you are so easy to lull into trusting of the media. Everything is cool. Apple clarified that it only compromises the security of its China-based users.

For your education, when your device browser sends information to the safety-checker to see if the website you're visiting is "safe", it effectively means that your device is sending information about every single website you're visiting. They have to do that to check if it is "safe".

Usually, in the West, we trust the tech companies like Google to behave with that information of what websites we visit. (Recent events indicate that blind trust is no longer warranted).

But are you comfortable with the Chinese Communist Government being given a list of every single website you visit?

Don't lose any sleep. Apple clarified that it only gives that information to the Chinese administration about Apple users in China.

 

[Nugget]

For your education, when your device browser sends information to the safety-checker to see if the website you're visiting is "safe", it effectively means that your device is sending information about every single website you're visiting. They have to do that to check if it is "safe".

Please stop spreading these lies. This is not even remotely true.

 

[NetMage]

Hmm call me cynical but I don’t believe what Apple claims these days... history has proved them not to be trusted anymore.

Fortunately it is very easy to test what iOS is doing when you browse, and there is no doubt that a real story would have come out if Apple wasn't explaining truthfully that no URLs are ever sent or received as part of the safe browsing check.

 

[stylinexpat]

Then Apple, please explain why you need to send my IP address when you do send data?

Don’t banks,online trading brokerages for stocks and other government websites request or require IP verification to prevent cyber crimes from taking place ..? Otherwise some other person can log into your account. No..?

 

[bobob]

I get that MacRumors isn’t a pinnacle of journalism by any stretch, but that’s just laziness.

MAcRumors isn't journalism at all - - it's a sensationalist click-generating press release republisher.

 

[gnasher729]

And for everyone else the data is sent to Google servers, the same google apple constantly tries to scare apple users of

I think that was explained - nothing about you is sent to TenCent's or Google's servers.

Apple gets two lists of suspicious URLs - one from TenCent, one from Google.
If you use the feature, and you enter a URL that looks suspicious (but may be harmless), then Apple asks TenCent or Google for a more detailed list. For example if you visit www.scam.prevention then "www.scam" looks suspicious but "www.scam.prevention" may be completely harmless. All that TenCent and Google know is that _some_ Apple user _somewhere_ in China / outside China has asked for a URL starting with www.scam. Apple knows more.

 

[tito2020]

Apple is digging its own grave with all of the recent pro-China (aka pro-CCP) narrative.

First, it was Apple's direct anti-democracy stance against HK and now this. Shame on them. I'm very glad to not have upgraded my iPhone in almost 3 years.

Apple showing there true colors

 

[Nugget]

I think that was explained - nothing about you is sent to TenCent's or Google's servers.

This is correct.

All that TenCent and Google know is that _some_ Apple user _somewhere_ in China / outside China has asked for a URL starting with www.scam.

This is not correct at all. The google or Tencent server has no way of knowing any portion of the hostname or url path that you are attempting to load. Please do not spread misinformation. The url is not sent to Apple either. You are misunderstanding how it works.

 

[stylinexpat]

I think that was explained - nothing about you is sent to TenCent's or Google's servers.

Apple gets two lists of suspicious URLs - one from TenCent, one from Google.
If you use the feature, and you enter a URL that looks suspicious (but may be harmless), then Apple asks TenCent or Google for a more detailed list. For example if you visit www.scam.prevention then "www.scam" looks suspicious but "www.scam.prevention" may be completely harmless. All that TenCent and Google know is that _some_ Apple user _somewhere_ in China / outside China has asked for a URL starting with www.scam. Apple knows more.

This is because scams linked to banking or finance related have been on the rise recently in China. In fact banks now in China have specific papers on this that they make account holders sign.

I belive it is mainly related to finance, banking and email accounts. I could be wrong but if it is for those then those are valid reasons as even in the US and other countries this is done as well. Try logging into a Google email account from an unregistered device that has an unrecognized IP address for a Google email account, Mac email account, Yahoo email account or any banking account. This triggers a security alert to protect account holder. Is this wrong then?