★ Apple Disables WebKit’s JIT in Lockdown Mode, Offering a Hint Why BrowserEngineKit Is Complex and Restricted
https://daringfireball.net/2024/06/apple_disables_webkits_jit_in_lockdown_mode
@daringfireball This feels like a long winded way of implying that Safari/WebKit’s JIT is more secure than 3rd party browser JITs. But there’s no evidence to support that. As far as I know, the major browsers have roughly equivalent security. I believe the UK authorities asked Apple to provide evidence that Safari was more secure and after consideration concluded that it was not. If Safari is not more secure, the reason for demanding these restrictions falls apart doesn’t it?
@daringfireball Apple being willing to remove its own JIT, but only when running under its special high security lockdown mode is not in any way equivalent to Apple imposing a blanket ban on third party browser engines & JIT compilers.
@callionica @daringfireball having worked on browsers for more than a decade i can tell you with confidence that they are all pretty much the same when it comes to security. they all have a steady stream of horrible bugs.
@callionica @daringfireball Safari security is it not the same as WebKit JIT security. There are many more things in a web browser than the JIT.
Also, you would need to show that every third-party JIT is more (or equally) secure when compared to WebKit’s if you want to show that the security can’t be weakened by allowing third party JITs.
@ahltorp @daringfireball Yes, browsers contain more than just JIT. I don’t believe there’s any indication that WebKit JIT is any more secure than anyone else’s, but if you have some info there, let me know.
Outside EU, Apple bans browser engines, so the interesting discussion for browsers is the relative security of the entire browser.
Within EU, Apple is prohibited from banning browser engines. If they wish to carve out exceptions based on security, it’s up to Apple to provide proof.
@callionica @daringfireball Do you think it’s a good idea, security wise, to leave JIT security decisions to a user choosing from a browser engine list in a stressful situation?
@ahltorp @daringfireball I think it’s appropriate for users to choose their own browser. I think there are security benefits to having a diverse ecosystem of browsers. If users are forced to use a specific browser for security reasons (a position I do not endorse), I would hope the browser everyone is forced to use would be the most secure and I have doubts that Safari is that browser.
@ahltorp @daringfireball Do you think that users should not be allowed to choose a browser other than the one supplied with the operating system?
@callionica @ahltorp I think whoever made the platform ought to decide how the platform works.
@callionica @gruber @ahltorp that’s rubbish. Android dwarfs iOS.
@callionica @gruber @ahltorp yes it’s rubbish that android provides the infrastructure for Europe when android dwarfs it.
@callionica @gruber Smartphones are infrastructure. Which makes it important that big smartphone manufacturers allow programs to run on their products.
That’s a consumer benefit. It’s not a consumer benefit that it becomes some sort of game where you have to avoid bad web browsers when you first start your phone.
Right now, it’s not enough to recommend someone an iPhone, you also have to say “oh, and by the way, when you get the trick question about web browser, choose Safari”.
@callionica @daringfireball Forcing them to and allowing them to are two very different things.
Do you think Android users should be forced to choose from different JVMs? File systems?
@ahltorp @daringfireball I think since the DMA ended up requiring browser prompting, it should have described exactly how the browser prompts would behave. Thankfully I don’t think the DMA says anything about requiring users to pick a JVM or file system.
@daringfireball good try to justify the abomination that is BrowserEngineKit but Lockdown Mode can just also simply set a global flag and disallow the JIT entitlement globally for all app on the device without needing to do anything special for browsers
@st3fan @daringfireball I'm always amazed how far one goes to justify the bullshit.
Meanwhile the website still is unreadable on my iPhone... and half the time doesn't work in reader mode.
@hub daring fireball doesn’t work in your iPhone? Looks fine here…
@Mulderc it doesn't layout mobile, which mean it is *unreadable*. Even with reading glasses I can't read it. And half the time reader mode isn't available.
@hub strange, perfectly readable to me but I guess I do usually read it via rss reader so maybe I am missing something but never found the website unreadable and I use an iPhone mini.
@Mulderc @hub “unreadable” means that the layout of site does not work correctly on mobile. Try to double tap to zoom. It won’t behave as expected. The page will float and won’t lock. The text layout won’t adapt to the screen size, make you move the page all around to read full sentences. All this makes the experience horrible on mobile and definitely unreadable. It has been for years. For someone that claims how important typography is to him, this is baffling.
@stevesebban @hub double tap to zoom works for me…. I guess it doesn’t ”lock” but I have to actively try to scroll side to side for it to not just scroll vertically. The site could be better on mobile but it isn’t unreadable. My guess on it not being better designed for mobile would be it coming from the era where you read blogs via rss anyways so it didn’t matter what the site looked like nearly as much.
@stevesebban @Mulderc @hub Mine seems to work - double-tap to zoom zooms in on the content panel and scrolls up and down with a finger. I’ve read it this way on iPhone since the beginning. How is this unreadable?
@Mulderc @hub I’ve been an avid reader of DF since the earliest days… but because it was originally designed for old-school displays of the late 90s/early 2000s (1024 x 768), the font is uncomfortably small on modern devices. Not cool.
DF still uses Verdana, a font commissioned by Microsoft for low-resolution screens; it was released in 1996.
You can double-tap on an article to zoom the content to fill the viewport, which makes it easier to read.
@daringfireball I am pretty sure that most iOS and especially iPadOS users would be perfectly fine with macOS security level for browsers.
@gewappnet @daringfireball nope. Not me.