This isn't wrong but it's also not just Apple. Virtually all mainstream OSes scream into the cloud constantly and a disturbing amount of that traffic is either not encrypted at all or has unencrypted SNI fields and other easily fingerprint-able content.
Apps do it too. I was amazed when I looked into it how many apps contain metrics and other telemetry features and how often this isn't encrypted or has unencrypted SNI data that can identify the app at least.
Then there's DNS, of course, which is still usually plaintext and can leak all kinds of information about what you are doing and running.
All this stuff taken together can pretty easily be used to fingerprint you.
The only way to fix this would be to adopt protocols like QUIC or later versions of TLS with encrypted SNI for everything all the time and block outgoing plain text http.
What I really think is that allowing apps carte blanche access to the Internet is just not tenable in 2023. It's a bit analogous to the old MS-DOS days when apps had open unprotected access to all RAM. Outgoing connectivity should be whitelisted.
The problem is, whitelists suck. Just browsing with NoScript is annoying. Unfortunately you cannot do anything to fix this at an individual level; you end up being your own 1-person full-time IT department.
We need some equivalent of class action; this is where companies like Apple could use their leverage, there's some precedent with things like blocking third-party cookies by default - this could've been the default in 1997, but we had to wait 20+ years and suffer all of the consequences in the process. Meanwhile the dominant platform (Chrome) won't change it, because conflict of interest.
Allowing everything to talk to everything was a mistake, but you can't fix it by cutting your own wire.
> [...] block outgoing plain text http.
I have a TiBook here (an insanely powerful machine, by most retrocomputing standards), that struggles to keep up with modern crypto - both TLS and SSH. I really appreciate it when websites offer plaintext http as an alternative, without forcing an https redirect. Setting the Upgrade-Insecure-Requests header, followed by HSTS, does the right thing for modern browsers.
You can bootstrap a basic Linux userspace, starting at a C compiler and zero lines of code, into having a working shell and an HTTP client, in about one weekend; but the road from there to having modern TLS would be monumental. How much of the present world's knowledge is going to become permanently inaccessible, should we ever have to start bootstrapping?
> What I really think is that allowing apps carte blanche access to the Internet is just not tenable in 2023. It's a bit analogous to the old MS-DOS days when apps had open unprotected access to all RAM. Outgoing connectivity should be whitelisted.
This is a good idea. Users may not actually enforce it, though. I think most people would rather give all apps the permissions they ask for than quit using whatever program they're used to in favor of another one that doesn't send telemetry. Most people don't seem to care that much.
> The only way to fix this would be to adopt protocols like QUIC or later versions of TLS with encrypted SNI for everything all the time and block outgoing plain text http.
Or choose a phone that doesn't act against you in the first place.
Apps do it too. I was amazed when I looked into it how many apps contain metrics and other telemetry features and how often this isn't encrypted or has unencrypted SNI data that can identify the app at least.
Then there's DNS, of course, which is still usually plaintext and can leak all kinds of information about what you are doing and running.
All this stuff taken together can pretty easily be used to fingerprint you.
The only way to fix this would be to adopt protocols like QUIC or later versions of TLS with encrypted SNI for everything all the time and block outgoing plain text http.
What I really think is that allowing apps carte blanche access to the Internet is just not tenable in 2023. It's a bit analogous to the old MS-DOS days when apps had open unprotected access to all RAM. Outgoing connectivity should be whitelisted.