I find it interesting how the needs of legitimate security mesh so well with the industry desires to kill off general-purpose computing for the majority of users
As a general rule, you want to prevent software from bypassing a user's informed consent. Apple typically does this in one of two ways:
1. Have functionality only accessible through system frameworks, so that the OS can be responsible for prompting for informed consent and granting it to a process. This means that the system itself has to have functionality to prompt for that informed consent in a way that users can understand.
2. Require processes which an application cannot script that are technically complicated enough that users might realize they are pulling off the warranty-voiding stickers. A prime example would be rebooting into recovery mode to turn off system integrity protections via a terminal command.
Both of these wind up getting gated in priority, but such is the priority of their system - limiting the ability of arbitrary software to act as an unrestricted agent of the user so that user security and privacy (as well as device operation like battery life and radio reception) can be protected.
> A prime example would be rebooting into recovery mode to turn off system integrity protections via a terminal command.
I actually think the way Apple implemented this downright brilliant. As you say, it can't be done automatically, and it's definitely made to be a bit intimidating. At the same time, it's not difficult or onerous, that's a pretty hard balance to strike.
By contrast, when I try to install unsigned drivers in Windows, I feel as though Microsoft is fighting me, and I get annoyed basically every time. I've never had that feeling with SIP; when I get a new computer, I take off the training wheels I don't need, and move along.
Unfortunately, Apple often does 1 far more often than 2, whether it be because 2 is harder, or has a worse experience, or what have you. And Apple exempting themselves is really option 3 for themselves.
I mean the irony is when it comes to browsers you see the general tone of HN shift to the opposite opinion when it comes to features like, RTC, USB, Bluetooth, Filesystem Access. These are all features that give users more power but it's (apparently) easier to see the downsides and how these features can and are used maliciously.
Now put yourself in the Apple's position where "an iOS app" or a "mac App" is about as trusted as a random website. Tech people have a strong culture of locally installed apps being extremely trusted but that doesn't extend to everyone. Can you imagine if websites could control your firewall?
> I mean the irony is when it comes to browsers you see the general tone of HN shift to the opposite opinion when it comes to features like, RTC, USB, Bluetooth, Filesystem Access.
I don't think it's that ironic. From my vantage point, the big tech companies specifically and consistently invoke the security arguments that are best aligned with their agendas.
• We need to enforce automatic Windows 10 updates to keep your computer secure. (But also, we won't let consumers use the security-patches-only LTSC branch we offer businesses.)
• You cannot install an app on your iPhone that we have not personally vetted. (As part of the vetting process, we enforce a 30% cut on all digital goods.)
• We need to hide URLs in Chrome to protect users from phishing websites. (But isn't it nice how it makes AMP more seamless?)
• We need to give browsers Bluetooth and USB access, because web apps are safer than random Windows executables. (But also, we can advertise inside of web apps more easily.)
I could go on. The problem with all of these arguments is that they aren't wrong so much as they're selective. The iOS App Store does protect users from malware, and hiding URLs does protect users from phishing. What goes unacknowledged are the trade-offs of these decisions—some of which may themselves be bad for security.
Because it's not really "hiding the URL" despite what all the outrage bloggers tried to make it seem. It's by default (i.e. until you tap/click it) hiding the parts of the URL that the site controls. So paypal.amazon.citibank.scamsite.biz/secure/login/trustus will just show scamsite.biz.
My first instinct was to distrust the hide-until-click URL bar also, but you've illustrated clearly why it's a reasonable default. It mitigates the effect of malicious websites playing URL games, and allows the browser to more accurately convey to the user where they really are.
To drive your point home, paypal.amazon.citibank.scamsite.biz/secure/login/trustus will likely have a perfectly valid certificate, along with the trusted green closed-lock before the URL, implying that the site is "secure".
This was solved a decade ago by rendering the 2nd+1st level domains (and sometimes other parts of the URL) in a different style.
> There's also arguments that URLs are too complex for normal people to understand.
That argument is an insulting attempt to justify a form of illiteracy[1]. Most people don't need to know all of the technical features of a URL; they just need to be able to use it as an address and recognize basic features like the hostname.
Street addresses are a good analogy. Most people understand the basics easily even though physical addresses are far more complex[2] than URLs!
> Now put yourself in the Apple's position where "an iOS app" or a "mac App" is about as trusted as a random website.
The mistake is in creating a category called "iOS app" or "mac app" and trying to fit every piece of third party code in the universe into that category.
What there should be is different categories of apps with different levels of trust. Then 95% of apps can go in the totally untrusted category because they don't actually need any special privileges. Which then makes asking for a trusted privilege a red flag rather than something the user clicks through because they see it for every app they install.
> Can you imagine if websites could control your firewall?
Realize that this has already happened. You wanted to block DNS to untrusted servers so everything would have to use your Pi-hole? Say hello to DoH. You could block AOL Instant Messenger by blocking port 5190, good luck doing that with Facebook.
The web made every protocol run over HTTPS to bypass your firewall, even if it has nothing to do with transferring hypertext.
Because that's what happens when you do security wrong. It has to be usable or it gets routed around. People started blocking unknown ports by default, or blocking/mangling protocols both of the endpoints didn't want blocked or mangled, so firewalls got displaced.
You don't actually want that to happen (again). You don't want the only options to be living in a cage or rooting your device with some unaudited 0-day code you got from some Russian hackers. There is value in the existence of the middle ground.
User freedom means being able to command our computers to do anything, even if it's against the law or against the business interests of corporations. A free computer is by definition hostile to corporations and governments since it can be used against them.
Security as an industry is generally all about protecting the interests of corporations and governments. Just look at how they react when normal people use subversive technology like encryption. The people in power simply cannot tolerate anything they have no control over.
…is not a monolith. There are plenty of people in security interested in giving you freedom as a user, actually, many do it specifically for that reason.
