Skip to content
Thoughtful, detailed coverage of everything Apple for 33 years
and the TidBITS Content Network for Apple professionals
Show excerpts


Since our last issue of TidBITS, Apple has flooded us with newsworthy moves. First, the company replaced the iPad Air 2 with a new iPad for a surprisingly low price, tweaked the iPad mini line, added PRODUCT(RED) iPhone 7 models, and doubled the storage capacity of the iPhone SE. It also released updates to iOS 10, macOS 10.12, watchOS 3, and tvOS 10. The iOS 10.3 update is particularly notable because it introduces a new file system, the capability to track down lost AirPods, and other significant refinements. To top it all off, Apple purchased the iOS automation app Workflow, and Josh Centers ponders what that could mean for the future of Apple automation. Finally, Adam Engst explains why the Take Control Web site was briefly labeled as “Not Secure” by the Google Chrome Web browser. Notable software releases this week include iTunes 12.6, EagleFiler 1.7.5, GraphicConverter 10.4, HoudahGeo 5.1.8, PopChar X 7.7, and Default Folder X 5.1.4.

Josh Centers 9 comments

iOS 10.3 Adds New File System, Find My AirPods, and More

Apple has released iOS 10.3, a major update which includes a new file system, lets you track your AirPods with Find My iPhone, and provides a host of other notable tweaks. You can install the 560–650 MB update via Settings > General > Software Update or through iTunes.

The biggest new feature in iOS 10.3 is one you may not notice: it introduces Apple’s new Apple File System (APFS), which will eventually replace the legacy HFS+ file system currently in use on all of Apple’s platforms (see “What Apple’s Forthcoming APFS File System Means to You,” 24 June 2016). It remains to be seen what, if anything, this will mean for iOS users, but for now, the primary impact is a longer update process than usual while it converts the existing file system. At iMore, Rene Ritchie has a good rundown on APFS’s benefits. So far, I’m finding iOS 10.3 snappier than 10.2, but it’s
impossible to say if that’s due to the new file system. Regardless, we always recommend backing up your devices before updating, but doing so is even more important with iOS 10.3.

Owners of Apple’s new wireless AirPods will appreciate that iOS 10.3 lets you track the little earbuds with Find My iPhone. You can either track their location on a map or make them play a locator tone. The sound is played on both AirPods and can be muted on each one individually, so if you drop one AirPod, you can silence the one you have so you can better hear the one you’re looking for. Given that replacing just a single AirPod costs $69, this new feature is extremely welcome (see “Apple’s Wireless AirPods Were Worth the Wait,” 20 December 2016). However, there’s a catch: the AirPods must be connected to (and thus in range of) a paired device for this feature to work. So
while you should be able to locate an AirPod that disappeared into the couch cushions, you likely won’t be able to find one that you lost during a run.

iOS 10.3 brings support for cross-device iTunes movie rentals, which Apple first introduced in iTunes 12.6 (see “iTunes 12.6,” 21 March 2017). Now, finally, you can rent iTunes movies on one device and watch them on another, though you’ll need iTunes 12.6, iOS 10.3, and tvOS 10.2 to do so.

Siri sees a few improvements with iOS 10.3, including support for paying bills in supported apps, scheduling in ride-booking apps like Lyft, and checking cricket scores and statistics for Indian Premier League and International Cricket Council. If you own a car that can be controlled via an automaker app, you gain some cool Siri capabilities, such as checking your car’s fuel level and lock status, turning lights on and off, and activating the horn. It’s probably still easier to slam your hand into the steering wheel than to say, “Hey Siri, BEEP!”

Speaking of cars, CarPlay gets a few new additions, such as app shortcuts in the status bar, Up Next and the current song’s album in Apple Music’s Now Playing screen, and access to daily curated Apple Music content.

Apple has rethought identity in the Settings app. Your identity now takes center stage above all other settings and provides a shortcut to a new, more coherent screen to handle your personal information, payment options, security settings, account information, and Family Sharing.

Apple has also addressed the problem of Calendar spam, which made the news late last year (see “How to Stop iCloud Calendar Spam,” 29 November 2016). You can now delete unwanted invites and report them as junk.

HomeKit sees some welcome improvements in iOS 10.3: you can now trigger scenes with switches and buttons, and the Home app now shows Accessory battery levels.

Other improvements include being able to search for “parked car” in Maps, a new widget and 3D Touch action for the Podcasts app, the option to share podcasts with full playback support in Messages, and hourly weather forecasts in Maps if you 3D Touch the current temperature. Also, iOS 10.3 addresses a bug with Maps that could prevent it from showing your location after resetting Location & Privacy settings, as well as improving VoiceOver stability.

There are a couple of additions not mentioned in the release notes. In iOS 10.3, developers can now respond to App Store reviews. I’ve also noticed one small change in Mail: a count of unread Inbox messages in the back button when viewing an email thread. Lastly, iOS 10.3 includes a total of 67 security fixes!

When Should You Upgrade? — Honestly, although Apple doesn’t even mention the move to APFS in its user-level release notes, that’s the main reason to hold off. If there’s some subtle problem that surfaces only once hundreds of thousands of devices have updated to iOS 10.3, you don’t want to be among that group. So we recommend waiting at least a week before installing iOS 10.3, and perhaps longer if you don’t use AirPods, suffer from Calendar spam, or automate your house with HomeKit. After that, though, give it a whirl and enjoy the new features!

Adam Engst 21 comments

Apple Releases macOS 10.12.4, watchOS 3.2, and tvOS 10.2

For Apple’s four operating systems, updates have become a one for all, and all for one proposition. As is often the case, iOS received the most attention with the iOS 10.3 release (see “iOS 10.3 Adds New File System, Find My AirPods, and More,” 27 March 2017), but Apple also pushed out macOS 10.12.4, watchOS 3.2, and tvOS 10.2.

macOS 10.12.4macOS 10.12.4 Sierra is available via Software Update, where it’s a roughly 2 GB download. Alternatively, you can instead download a delta updater (for 10.12.3, 1.79 GB) or combo updater (from any version of 10.12, 2.04 GB).

The most significant change in 10.12.4 is the addition of Night Shift, a feature previously available only in iOS that automatically shifts the colors of the screen to the warmer end of the spectrum after dark. Night Shift, much like the independent f.lux utility, is designed to help you sleep better by reducing the amount of blue light that tricks your body into thinking it’s earlier than it is. Look for it in System Preferences > Displays and Notification Center.

Beyond the addition of Night Shift, macOS 10.12.4 brings with it a few international improvements. For those who follow cricket, Siri can now provide scores, schedules, and player rosters from the Indian Premier League and the International Cricket Council. Apple added dictation support for Shanghainese. And the update improves right-to-left language support (such as for Arabic and Hebrew) for the Touch Bar, toolbar, and visual tab picker in Safari.

Although we don’t know the full extent of the changes, Apple promises that 10.12.4 resolves several PDF rendering and annotation issues in Preview. Those fixes are likely in the troubled rewrite to PDFKit that debuted in Sierra; we can hope the improvements will make life easier for developers who work with PDF (see “Sierra PDF Problems Get Worse in 10.12.2,” 2 January 2017, and “Apple Releases macOS Sierra 10.12.3, iOS 10.2.1, tvOS 10.1.1, and watchOS 3.1.1,” 23 January 2017). Another fix claims to resolve a bug that prevented content from appearing in Mail messages.

Finally, Apple added support for more digital camera raw formats and a whopping 65 security fixes.

On the enterprise side, 10.12.4 provides a handful of improvements and fixes. Apple says that the update:

  • Adds the tethered-caching command, which optimizes certain downloads for iOS devices tethered via USB. For details, enter man tethered-caching in Terminal.

  • Updates the security command to include the delete-identity option, which deletes both a certificate and its private key from a keychain. For details, enter man security in Terminal.

  • Updates the profiles command to include the -N flag, which displays a device-enrollment notification that prompts the user to complete Mobile Device Management (MDM) enrollment. For details, enter man profiles in Terminal.

  • Fixes an issue that causes notebook computers connected to certain docking stations to display a blank screen instead of the macOS login window on the built-in display.

  • Fixes an issue that causes a newly changed user-account password to be rejected at the macOS login window, if FileVault is turned on.

  • Adds the ability to automatically renew certain certificates delivered via a configuration profile.

  • Includes numerous Xsan fixes.

watchOS 3.2 — Less exciting is watchOS 3.2, which is a 225 MB update that you install via the Watch app on your iPhone (in Watch > Settings > General > Software Update). Remember that the Apple Watch must be on its charger, charged to at least 50 percent, and within range of your iPhone, which itself must be on Wi-Fi. Don’t start installing if you’ll want to use the watch again within an hour or so — watchOS updates take surprisingly long to load.

The main addition in watchOS 3.2 is Theater Mode, which you toggle via a new button in Control Center (swipe up from the bottom of the screen). When enabled, Theater Mode turns on silent mode and disables the standard Raise to Wake behavior, leaving the screen off until you tap it. That prevents the Apple Watch from lighting up in a dark theater if you raise your wrist for any reason.

Apple also expanded the Apple Watch’s support for Siri to include independent apps, so you can now theoretically use Siri to start workouts, send messages, make payments, book rides, and more. Siri support in non-Apple apps extends only to a few categories of apps, and developers have to support it, so don’t expect that you’ll be able to talk to every app.

On the international side of things, Scribble is now available in French, Spanish, and Italian. And, for those who have been frustrated by the lack of feedback when syncing music to the Apple Watch (which seems to take forever!), music playlist sync progress now appears in the Watch app on the iPhone.

As with every operating system update these days, there are a slew — 31 all told — of security fixes worked into watchOS 3.2.

tvOS 10.2 and Apple TV Remote app — Finally, Apple released tvOS 10.2, which mostly provides things of interest to developers (and 39 security fixes), but does offer one nice refinement for users. You can get the tvOS 10.2 update on your fourth-generation Apple TV via Settings > System > Software Updates > Update Software.

tvOS 10.2 now provides what Apple calls “Accelerated Scrolling support” for apps. In practice, this means that you can swipe up or down on the far-right side of the Siri Remote’s touchpad to navigate quickly through long lists. In the screenshot below, the jump points appear as dots, each one representing a page in the list.

Most of the user-facing improvements to the Apple TV are found in the Apple TV Remote app, which Apple updated to version 1.1. It has now been optimized for iPad support, though don’t get too excited: it seems to be essentially the same as the iPhone version, just larger (that’s a whole lot of black in the screenshot below). When I downloaded the app on my iPad, I still had to filter the App Store search results for
“iPhone only” apps to be able to see it.

Another improvement in the Remote app is an enhanced Now Playing screen. While playing media, you can tap Details in the upper right to view the currently playing media, along with direct media controls, such as pause and rewind. If you swipe up on that screen now, you can see additional detail. For instance, doing so when playing music shows your Up Next queue.

And swiping up on Now Playing while watching a movie shows additional movie information and a chapter list.

The Update Question — As always, the question we’re asked after one of these mega-release days is if users should jump on the updates or not. We’ve installed them all and haven’t noticed any serious problems in initial use, but that’s relatively meaningless. Our take is that there’s no real reason to install any of these updates immediately unless you’re suffering from a problem expressly addressed by them. However, given the number of security fixes involved in each one, we do strongly recommend that you update within a few weeks.

Josh Centers 2 comments

Apple Replaces iPad Air 2 with New 9.7-inch iPad

Apple has introduced a new, non-Pro 9.7-inch iPad to replace the iPad Air 2, fiddling with the specs slightly and dropping the price by $70. The new model is called just “iPad” again, but is officially dubbed “iPad (5th generation)” for support purposes.

It comes in silver, gold, and space gray colors, and is available with either 32 GB of storage for $329 or 128 GB for $429. Cellular models cost $459 for 32 GB of storage or $559 for 128 GB. It became available to order on 24 March 2017.

The new iPad measures 9.4 inches high by 6.6 inches wide by 0.29 inches deep (240 x 169.5 x 7.5 mm), which is almost the same as the iPad Air 2, although it’s 1.4 mm thicker, which could pose a problem for some cases. The new iPad is also slightly heavier than the iPad Air 2 at 1.03 pounds (469 grams) for the Wi-Fi-only model; the corresponding iPad Air 2 weighed 0.96 pounds (437 grams).

While the iPad Air 2 featured an A8X processor, the new iPad boasts a faster A9 chip, the same processor used in the iPhone 6s. Unfortunately, it doesn’t have the A10 Fusion chip that powers the iPhone 7 or even the iPad Pro’s A9X.

The new iPad’s cameras are essentially the same as those in the iPad Air 2. The new model features an 8-megapixel f/2.4 aperture rear camera that can capture 1080p video at 30 frames per second — the only improvements we can see are Apple saying that the new model includes auto image stabilization and a hybrid IR filter, which should improve clarity and sharpness somewhat. The front-facing FaceTime HD camera captures 1.2-megapixel photos with an f/2.2 aperture and 720p video. Like the iPad Air 2, the new iPad features stereo speakers, and yes, a 3.5 mm headphone jack.

While the new iPad’s screen is the same 2048-by-1536 resolution found in the iPad Air 2, it lacks the laminated display and anti-reflective coating that the iPad Air 2 used to reduce reflections and increase picture clarity. That alone may account for the $70 price drop.

You also shouldn’t expect to see any of the 9.7-inch iPad Pro’s niceties in the new iPad. It doesn’t feature the wide-color True Tone display, True Tone camera flash, Live Photos support, 4K video capture, or support for the Apple Pencil and Smart Connector accessories like the Smart Keyboard. However, the new iPad is nearly half the price of the equivalent 32 GB iPad Pro, which costs $599. We hope to see some announcements surrounding the iPad Pro line soon.

At $329, Apple has priced the new iPad aggressively; it’s even more attractive for the education market at $299. It’s also the new low-end iPad, now that Apple has dropped the $269 iPad mini 2. The iPad mini 4 remains available, but in only a single 128 GB storage tier for $399.

Nevertheless, we can’t see many people upgrading from an iPad Air 2 or even an iPad Air to this new iPad. The improvements just aren’t sufficiently compelling, as nice as the new model is as an entry-level iPad.

Josh Centers No comments

Apple Introduces (PRODUCT)RED iPhones, Doubles iPhone SE Storage

Apple has announced some minor updates to the iPhone line: a (PRODUCT)RED iPhone 7 and iPhone 7 Plus Special Edition and increased storage tiers for the smaller iPhone SE model. The company also introduced some new colors for iPhone cases and Apple Watch bands.

Apple has long partnered with the (RED) charity to benefit the Global Fund to Fight AIDS, Tuberculosis, and Malaria by offering products in the licensed (PRODUCT)RED color. Apple has now announced the iPhone 7 and iPhone 7 Plus (PRODUCT)RED Special Edition, which are the same as the existing iPhone 7 and 7 Plus models, but in a red aluminum finish. The (PRODUCT)RED iPhones became available for ordering on 24 March 2017. While they’re the same price as equivalent existing iPhone models, they’re available only with 128 GB and 256 GB of storage; there is no 32 GB storage tier.

Kudos to Apple for supporting (RED), but we can’t help but think there would have been more impact if these models were available at the iPhone 7’s September 2016 launch, instead of six months later.

If you already own an iPhone 7, but like the red color, you can buy a (PRODUCT)RED leather case for it from Apple.

Apple also quietly doubled the storage tiers for the 4-inch iPhone SE, so you can now get a 32 GB model for $399 or a 128 GB model for $499.

Finally, Apple introduced new iPhone case colors. The silicone case is now available in Azure, Camelia, and Pebble, while the leather case is now available in Berry, Sapphire, and Taupe. The inscrutable color names are reminiscent of Crayola crayons; you’ll need to check them out online or in person to get a sense of what “Berry” actually looks like, for instance.

Apple added to its Apple Watch band options too. The popular Apple Watch sport band is also now available in the Azure, Camelia, and Pebble colors. Plus, there’s also now a new Black/Volt Nike sport band, an orange woven nylon band, a saddle brown classic buckle band, and a new Hermès Fauve Barenia leather band.

If you find these announcements underwhelming, it’s likely that Apple is merely clearing the decks for more significant announcements in the near future. In particular, the flagship iPad Pro line is due for a refresh, as are many Mac models.

Josh Centers 5 comments

What Apple’s Purchase of Workflow Means for Automation

When I wrote “Workflow Is the Next Step for iOS Automation” (21 December 2014), I had no idea how literal that title would prove to be. Apple has now purchased Workflow and the team behind it.

As you may recall, the Apple Design Award-winning Workflow is an automation app for iOS in the same vein as Automator on the Mac (see “Apple Announces 2015 Design Award Winners,” 10 June 2015). You can use it to perform actions in supported apps automatically. For instance, you can use Workflow to send your estimated time of arrival to a friend, upload photos, or shorten a URL.

Apple usually pulls acquired apps from the App Store, but not this time. Instead, Workflow is now available for free. Unfortunately, Apple has dropped support within Workflow for Google Chrome, Google Maps, LINE, Pocket, Telegram, and Uber, and Workflow Gallery submissions are no longer being accepted. Developer Marco Arment points out that may be more because of legal issues than any particular strategy.

Recent Automation News — This acquisition is a plot twist in Apple’s ongoing automation saga. In November 2016, Apple eliminated the position of Product Manager of Automation Technologies (see “Understanding Apple’s Marginalization of the Mac,” 21 November 2016). The man who filled that position for two decades was Sal Soghoian, a legend in the Apple power user community who championed technologies such as AppleScript and Automator. Among other consulting projects, Sal is now helping the Omni Group with automation in their apps.

Apple’s unceremonious elimination of Soghoian caused much concern in the Mac community, despite reassurances from Craig Federighi, Apple’s senior vice president of software engineering. It certainly did nothing to alleviate concerns that Apple no longer cares about professional users. Many of you made your concerns heard loud and clear in “73 Mac Automation Stories from TidBITS Readers” (19 January 2017), which collected amazing stories of how you’ve used the Mac’s automation technologies. And yes, Adam did send the collection to Craig Federighi and Tim Cook. No, he didn’t hear back.

Our curiosity was piqued further when Soghoian publicly cautioned Apple to not replace existing automation tools with app extensions (see “Is Apple Planning to Replace Automation with App Extensions?,” 12 January 2017).

So what does Apple’s purchase of Workflow mean for Apple’s professional and power users? Overall, the acquisition seems like a positive sign, but big questions remain. I don’t want to speculate about the future of Apple automation too broadly, but we can make some inferences based on what we know about the company.

Apple Sees the iPad as the Future — Despite declining sales growth, Apple appears committed to the iPad as the future of computing, releasing products like the iPad Pro, accessories like the Apple Pencil and Smart Keyboard, and iPad-only apps like Swift Playgrounds.

One big missing puzzle piece for the iPad’s professional future is system-wide automation. Tools like Workflow, Editorial, and Pythonista have existed for years on the iPad, but they lack the system integration, ease-of-use, and capabilities of Automator and AppleScript on the Mac.

If Workflow were integrated into iOS with a system for third-party app integration, it could become a powerful, easy-to-use automation tool. However, Apple would have to build out the automation underpinnings in iOS before that could happen. Workflow currently uses a kludgy system called x-callback-url, developed by Greg Pierce and Marco Arment. It was a clever workaround when they introduced it in 2010, taking advantage of iOS’s URL schemes to let apps communicate with each other, but Apple could do much better.

In a Twitter conversation with Pierce, Arment said, “The crazy thing is that URL-scheme bouncing between apps is still necessary for so many useful things on iOS. I always assumed that it’d be a few-years-long hack until iOS caught up and gave us something better. Maybe now it will.”

Sal Soghoian has pointed out the difference between app extensions and true user automation; the question is if Apple sees app extensions as being sufficient for Workflow’s underpinnings. That would be better than nothing, of course, but app extensions are more akin to what Services provide in macOS (if you don’t remember Services, check out “OS X Hidden Treasures: Services,” 5 February 2016).

One big question about an automation scheme based on app extensions and a Workflow front end is just how powerful it could be. Could it compare to what can be achieved with Automator and AppleScript on the Mac, or would it be closer to Workflow’s current limits?

For a far more capable system, Apple could create something in iOS like the Apple event system that enables apps to communicate with one another on the Mac. In an ideal scenario for those who support Mac automation, Apple would bring actual Apple events to iOS. Then a developer would have to build on that by creating a terminology — a scripting dictionary containing commands and objects — and having the app listen for and respond to incoming Apple events. On the Mac, AppleScript is one of the main ways that users can interact with apps via Apple events, but I can’t see Apple porting AppleScript to iOS.

The challenge Apple events face in iOS is the tension between scriptability and security — the kinds of hooks that are necessary for scriptability can be used as an attack vector unless the system has been designed carefully to limit that. The Apple event system on the Mac treads that line by operating at the user level; to avoid being exploited, any iOS approach would likely have to be similarly or even more restrictive.

Apple Sees Swift as the One Language to Rule Them All — Along with the iPad, Apple sees Swift as the future of development, going so far as to open-source it (see “Apple’s Swift Programming Language Is Now Open Source,” 3 December 2015) and build the friendly Swift Playgrounds iPad app to help kids learn how to use it (see “Playing Around with Swift on the iPad,” 13 June 2016).

Beyond its role in developing traditional apps, what’s interesting about Swift is that it can be used as a scripting language. Developer Filip W proved this concept years ago — see “Using Swift as a Scripting Language” (6 August 2014), although we haven’t heard much about Swift’s use as a scripting language since.

Of course, Swift can’t control Mac or iOS apps yet — it would need something like JavaScript for Automation (JXA), which is a set of special libraries that lets scripters use JavaScript instead of AppleScript for interapplication communication.

I bet Apple would like to have Swift become the preferred scripting language across all its platforms. Then, people could start with scripting and move on to full-fledged app development without having to learn another language. By bridging the gap between scripters and developers, Apple could expand its ecosystem.

Apple Wants macOS and iOS to Share Common Foundations — Since the beginning, iOS has shared a common core with macOS. Over time, the two platforms have traded capabilities — usually new features developed on iOS going “back to the Mac.” In the case of scripting, it would make more sense for Apple to move the Apple event model to iOS, likely in a restricted way, than to come up with something completely new for iOS that would then need to be evangelized to all Mac developers in the other direction.

The question is how closely the iOS system will match up with the Apple events that Mac automation relies on now. If Apple were to start supporting a subset of Apple events in iOS, giving users access in iOS via Workflow and Swift, it would be easy to imagine Workflow coming to the Mac to replace or supplement Automator (Swift is obviously already available for Mac users).

It seems likely that Apple will announce something related to Workflow and iOS automation at WWDC in June 2017, with an eye toward it shipping in some form in iOS 11 in September. Or, if my excitement is getting the better of me, it might all have to wait until iOS 12 in 2018.

Perhaps Apple will split the difference, and do what it did with Siri. At first, Siri could perform actions only with built-in iOS functionality and Apple apps. With iOS 10, though, Apple opened Siri up to a few types of apps, including apps for messaging, ride booking, payments, VoIP calling, workouts, and CarPlay. iOS automation might similarly be limited to a small subset of what’s possible on the Mac today, enabling Apple to feel out the security implications before making it more capable in future releases.

How that would affect Workflow coming to the Mac is hard to guess. It might come with macOS 10.13 this September, or it may be an iOS-only feature for a year, and show its face on the Mac with macOS 10.14 in 2018.

Beyond any speculation, we can see one thing for sure from Apple’s acquisition of Workflow: the company hasn’t lost interest in automation, which is good news. But the devil is in the details, especially in a system that has to balance user capabilities against security.

Adam Engst 1 comment

Why Take Control Was Briefly Labeled “Not Secure”

Anyone who visited the Take Control site using Google Chrome from March 9th through 17th might have seen a dire-sounding warning that “Your connection is not private,” much like the screenshot below. That statement was far more extreme than the actual situation, but without knowing the back story, you might have been scared off from using our site. We want to apologize, explain what happened, and how we fixed it.

Certificate Background — First off, the cryptographic foundation for secure Web connections relies on an ecosystem of which “digital certificates” are a vital part. You can judge your connection secure when you load a Web URL that starts with https, the page loads without errors, and the browser shows a lock icon next to the URL in your browser’s address bar. (The screenshots below show what this looks like in Safari, Chrome, and Firefox.) Secure connections prevent bad guys from eavesdropping on your traffic, so it’s safe to transmit credit card details and other sensitive information.

The entire system is based on trust, backed up by verification. (Interestingly, the saying “Trust, but verify,” is a translation of a Russian proverb that
was used regularly by President Ronald Reagan.) At the top level are major browser makers. Apple, Google, Microsoft, and Mozilla all set stiff requirements that third-party verification organizations must meet to be included in — and thus trusted by — their respective browsers.

These third-party verification organizations are called “certificate authorities,” (CAs) because they provide independent authority that a certificate is valid. A top-level, or root, CA has to meet stringent rules for browser makers to bundle its “root certificate” into their browsers. Only several hundred organizations worldwide meet the bar, and browser makers require audits and continuously evaluate reports of any problems.

Root CAs issue what are effectively countersigned certificates: a company like TidBITS that wants to have a secured Web server creates a request with some text portions and some cryptographic ones, and a CA evaluates whether we are a legitimate party for the domain that we want to secure. If we pass its validation, the CA issues a certificate cryptographically signed by it using its root certificate.

You can also work with delegated, or intermediate CAs. Root CAs create intermediate certificates derived from their root certificates to allow other parties, like DNS and Web hosting companies or firms that sell corporate hardware, to create valid certificates that meet the same standards as the root.

The result is a chain of trust, with a CA’s root certificate at one end, often an intermediate certificate from a reseller in the middle, and an individually issued certificate at the other end. By embedding root certificates, browsers (and operating systems) make it possible for a user to know that the connection to a particular Web site is secure: the CA that sold us our certificate vouches that we are who we say we are, and the top-level CA vouches for the issuing CA. In turn, users trust the browser makers to support only trustworthy root certificates. (The browser provides an “out-of-band” element of trust: we’re not using a potentially insecure Internet connection to check that the CA root certificate is valid, because
that trust is already baked into the browser.)

This certificate system is based on public key cryptography, with the public certificates associated with private keys held by each entity in the chain. As a result, certificates go beyond verifying identity to enable a Web browser and server to exchange a session encryption key without risk of interception and thus encrypt all the traffic that passes over the connection.

Historically, the process of getting a certificate for your Web server was both expensive and onerous — you could easily drop $300 to $500 a year in the not-so-distant past. Since 2010, when we first went down this road, we’ve worked with a CA called StartCom, which offered substantially less expensive certificates. Getting a certificate from StartCom required multiple authentication steps and scans of legal documents that confirmed our personal and corporate identities, and the process always ended with a phone call to check the details.

Once I had the certificate from StartCom, I had to install it, which involved copying it and StartCom’s intermediate certificate to our server and modifying Apache and Sendmail configuration files to point to it. The certificate was good for two years, so I’ve had to repeat the process three times so far, and honestly, I hate it. I had to take copious notes so I could recreate the steps, and since I’m merely adequate at Unix administration, I was always worried I’d mess something up badly. Nevertheless, I managed to do it, with the last renewal coming in August 2016. (Our long-running on-demand system admin, Glenn Fleishman, also used StartCom until this fussiness got to him a few years ago.)

StartCom Problems — Here’s where our problems started. It appears that StartCom was quietly acquired by a Chinese CA called WoSign in late 2015. The specifics are still murky, but between the details of the acquisition not being made public and various bad actions on the part of WoSign, Apple, Google, and Mozilla all announced last fall that their Web browsers
would no longer trust new certificates issued by StartCom.

That didn’t affect us until 9 March 2017 when Google released Chrome version 57, which also stopped trusting StartCom’s old certificates — including ours. Suddenly, Chrome 57 users saw that “Your connection is not private” interstitial warning before our site loaded. If someone went past that by clicking the Advanced link and the Proceed link, all pages on the Take Control site were labeled as “Not Secure.” You can imagine my consternation! Neither Safari nor Firefox complained because they still trust StartCom’s old certificates. Luckily, because Chrome updates itself over time, and needs to be relaunched before the new version loads, relatively few people saw the problem.

(Thanks to Twitter user @shepgo for alerting me to Chrome’s behavior, since even though he and I weren’t able to figure out what was happening then due to the fact that my copy of Chrome hadn’t updated itself to version 57 yet, when we got a customer complaint the next day, I was able to put it all together fairly quickly.)

Despite these warnings, nothing had actually changed with the security on our site or with the encryption for traffic to and from our site. (I verified this with TidBITS security editor Rich Mogull.) However, Google no longer wanted to use its reputation to vouch for a user’s privacy, because it had stopped trusting StartCom to behave reputably. A more accurate version of the message could have said, “Google cannot verify your connection is private,” but that doesn’t light a fire under users. In essence, Google, along with Apple and Mozilla, were punishing StartCom and WoSign for bad behavior by ensuring an exodus of their customers. It worked.

(StartCom could have dealt with this problem in a positive and proactive way by alerting all its certificate holders about the problem and suggesting a move to other valid CAs until it could reorganize itself and regain trust. It did nothing along these lines, which is why this situation became a crisis rather than a technical task I could have handled in a more relaxed fashion.)

Hey Folks, Let’s Encrypt! — Once we figured out what had happened, we switched to using Let’s Encrypt, a non-profit CA that provides free certificates. Let’s Encrypt’s certificates are good only for 90 days and must be renewed after that time, although that can (and should) be automated easily.

Happily, Let’s Encrypt has radically simplified the process that I had so laboriously sweated through with StartCom every two years, thanks to client software that supports ACME (Automatic Certificate Management Environment). There are numerous ACME clients that you can run on your Web server, but Let’s Encrypt recommends the EFF’s Certbot, which is relatively easy to install and run on a wide variety of operating systems and with different Web servers. Instead of making you jump through identification hoops, Certbot validates that your Web server is authoritative for your domain by making sure it can confirm a connection to the server using
the domain names you claim that you control. This is apparently sufficient for the chain of trust.

If you’re familiar with installing Unix apps, you’ll have no trouble with Certbot. I got Glenn to help since I always worry that I’ll do something that will kill the server. In the end, however, it turned out to be almost shockingly simple. We used wget to grab a copy of Certbot, changed some permissions, and when we ran it, it installed itself. Actually getting and installing a certificate just involved running Certbot again with a flag that told it to configure everything for Apache. It read our configuration files, asked a few questions about what domains to support, acquired and installed a certificate, and updated our Apache .conf files.

Although I didn’t set up Certbot to renew our certificate automatically because I want to see it work the first time, I’ll do that after the first manual renewal by creating a cron job that schedules Certbot to renew the certificate on its own. (Certbot provides a “dry run” option for automatic renewal that lets you test whether any problems would crop up.)

Throughout all this, I was running the Qualys SSL Server Test, and even after switching to Let’s Encrypt, we were getting only a B rating. Some more research revealed that our Apache .conf files weren’t setting choices of SSL ciphers optimally, so the server could potentially use some ciphers that weren’t as secure as others. When I fixed the SSL cipher lines according to these recommendations, our site started getting an unqualified A rating. I also had to delete some extraneous lines in the .conf files that still referred to the StartCom

The main thing I haven’t yet done is replace the StartCom certificate in our Sendmail configuration with the Let’s Encrypt certificate. I believe I know how to do that, but I need to do more research into how Sendmail will realize that Certbot has renewed the certificate.

Though I spent hours figuring out what happened and how to resolve the problem, it was doubly worthwhile in the end, since working with Let’s Encrypt is cheaper and easier than with StartCom, and the additional configuration changes I made further hardened our site’s security.

One last thing. StartCom and WoSign were the bad guys in this situation, and their customers are the ones who suffered. But dubious behavior on the part of CAs isn’t unheard of, and Google is going to start punishing Symantec, the largest CA in the world, for a variety of questionable practices. If you get your certificates from Symantec or a Symantec-owned reseller, you might look into alternatives.

So, if you’re at all unhappy with your certificate provider, and especially if you bought your certificates from StartCom, I recommend that you give Let’s Encrypt a try.

TidBITS Staff No comments

TidBITS Watchlist: Notable Software Updates for 27 March 2017

iTunes 12.6 — Apple has issued iTunes 12.6 in conjunction with the release of the new iPad (“Apple Replaces iPad Air 2 with New 9.7-inch iPad,” 21 March 2017) and iPhones (see “Apple Introduces (PRODUCT)RED iPhones, Doubles iPhone SE Storage,” 21 March 2017) with a feature that’s long been requested — the capability to watch iTunes movie rentals on any of your Apple devices. The feature also requires iOS 10.3 or tvOS 10.2, both of which have just been released (see “iOS 10.3 Adds
New File System, Find My AirPods, Other Major Refinements
,” 27 March 2017, and “Apple Releases macOS 10.12.4, watchOS 3.2, and tvOS 10.2,” 27 March 2017).

Dubbed “rent once, watch anywhere,” the feature enables you to start watching a movie on your Apple TV at home and then finish it on your next morning’s bus commute by streaming it on your iPhone. Previously, you could transfer rentals made on your Mac to an iOS device by performing a sync, and you couldn’t access rentals made on an Apple TV on any other devices.

Other changes in iTunes 12.6 include the capability to open playlists in their own windows and a redesign of the MiniPlayer. (Free, 269 MB via direct download or Software Update, release notes, 10.9.5+)

Read/post comments about iTunes 12.6.

EagleFiler 1.7.5 — C-Command Software has released EagleFiler 1.7.5, ensuring that the New Browser Window command makes a new window for better consistency with the Finder. Additionally, the document organization and archiving app tweaks the behavior of the Command-Up Arrow and Command-Down Arrow keyboard shortcuts so that they no longer change the selection in the records list when their corresponding menu commands (Enclosing Record and Contents of Record) are disabled. The update also no longer tries to import metadata files for Dropbox’s Selective Sync feature, partially works around a bug in macOS 10.12 Sierra that
could prevent text from being indexed properly (though you will need to rebuild indexes to see a change for existing records), improves error reporting when moving files, and makes some updates to documentation and the Help menu. ($40 new with a 20 percent discount for TidBITS members from C-Command Software or from the Mac App Store, free update, 18.0 MB, release notes, 10.6.8+)

Read/post comments about EagleFiler 1.7.5.

GraphicConverter 10.4 — Lemkesoft has issued GraphicConverter 10.4 with added support for 32-bit-per-channel images (HDR), improved manual downloads, and new batch processes: Rename and Multiply Alpha Channel by Factor. The venerable graphic conversion and editing utility also adds an option to automatically add parent keywords in the Browser Keywords palette, adds import and export support for the EBM image format, resolves a possible crash with the Insert Text batch process, and updates Czech, French, Danish, Japanese, and Swedish localizations. ($39.95 new from Lemkesoft or the Mac App Store, free update, 125 MB, release notes, 10.8+)

Read/post comments about GraphicConverter 10.4.

HoudahGeo 5.1.8 — Houdah Software has released HoudahGeo 5.1.8, improving the performance of the photo geotagging app when loading a large Photos library. The update also works around a problem with malformed GPS data written by some Nikon cameras and resolves an issue with downloading GPS track logs from Garmin devices. ($39 new with a 25 percent discount for TidBITS members, free update, 21.7 MB, release notes, 10.11.5+)

Read/post comments about HoudahGeo 5.1.8.

PopChar X 7.7 — Ergonis Software has issued PopChar X 7.7, the final scheduled maintenance release for PopChar 7 before Ergonis releases version 8 later this year. The character discovery utility now adjusts metrics for eight new fonts (particularly Google’s Noto fonts), extends diagnostic information for email support, resolves a potential crash related to the construction of the layout menu, fixes a problem with an incorrect display of certain combining marks (such as vowel signs), improves the removal of relics from previous updates, and reduces network traffic
when checking for updates. (€29.99 new with a 25 percent discount for TidBITS members, free update, 4.6 MB, release notes, 10.6+)

Read/post comments about PopChar X 7.7.

Default Folder X 5.1.4 — St. Clair Software has released Default Folder X 5.1.4 to fix issues that should improve reliability for the Open/Save dialog enhancement utility. Default Folder X now copies tags to its own tag field below the Save dialog and includes commands to remove or edit the current default folder in the Favorites menu. The release also fixes a memory leak caused by opening a file dialog and then closing it quickly, corrects an issue that caused the app to stop functioning when selecting a new original for a Finder alias, and works around a Spotlight bug that could cause a crash. ($34.95 new, TidBITS members save $10 on new copies and $5 on upgrades, 6.4 MB, release notes, 10.10+)

Read/post comments about Default Folder X 5.1.4.

TidBITS Staff No comments

ExtraBITS for 27 March 2017

In ExtraBITS this week, Apple has announced (but not released) Clips, a new social photo and video app, and the U.S. and UK have both banned large carry-on electronics from flights originating from several African and Middle Eastern countries.

Apple to Release Clips, a Free Social Photo and Video App — Apple has announced that it will soon release Clips, a new social-focused photography and video app. The free Clips app will take square photos and videos that are ideal for most social networks, and it will offer fun features like titles, filters, and overlays. Apple gave Lauren Goode of the Verge early access, and she has written a full review. It’s unclear why Apple is making Clips separate from the Camera app — perhaps the company plans to field test new features in Clips before migrating the most
popular to Camera? Or perhaps it’s meant as a precursor to an augmented reality app? Or maybe it’s just the latest incarnation of Photo Booth? We hope more becomes clear when Clips ships in April 2017.

Read/post comments

Large Electronics Banned on Some International Flights to the U.S. and UK — The United States and United Kingdom have banned nearly all electronics larger than a phone from flights originating from several African and Middle Eastern countries. The ban will include carry-on laptops, tablets, electronic book readers, and cameras, but those devices will still be allowed in checked baggage. A U.S. Department of Homeland Security official told the BBC that the ban was based on “evaluated intelligence,” likely related to reports that Al Qaeda in the Arabian Peninsula is trying to build bombs with little or no
metal content to target commercial aircraft.

Read/post comments