3 key things to know about Yosemite and security

Like its National Park namesake, Apple's newest operating system can be imposing, perhaps even a little daunting to newcomers. And although you won't find any bears in the digital version of Yosemite, that doesn't mean it's danger free. After all, online security is rarely a walk in the park--and these three features of Yosemite could potentially impact your security.

Spotlight knows where you are

Spotlight became a lot more useful in Yosemite, but it also became more talkative. That's because in order to return information about local services such as restaurants and other retail establishments it needs to know your location. That sounds logical, but it raised concerns from privacy advocates--and privacy-minded users--about just what information was being transmitted and what else it might be used for.

For its part, Apple says it's taken privacy concerns into consideration with Spotlight's new features, and even spells out its policy within the Security and Privacy pane in System Preferences:

In a response to The Verge, the company got even more specific, saying it uses a temporary identifier that resets every 15 minutes and that only a user's approximate, "blurred" location is transmitted. Additionally, the information is transmitted over a secure HTTPS connection.

If you're still not comfortable with that kind of information being transmitted, you can opt out of location-based search results by launching System Preferences, selecting Security & Privacy, clicking the Privacy tab, clicking the Details button next to System Services, and disabling Spotlight Suggestions in the resulting sheet.

Continuity: Sharing your data with yourself

Yosemite's much-touted Continuity features allow you to use your Mac and iOS device in a more tightly integrated way. You can start composing an email message or Pages document on one device and continue working on it on another device. You can do much the same with iMessages, SMS texts, and even phone calls. You can even connect your Mac to your nearby iOS device and send files via an improved implementation of AirDrop--all without ever entering a password.

How secure can that be? The trick to keeping it secure is in Apple's implementation. It uses a secure form of Bluetooth LE (for Low Energy) 4.0 for the connection, and will only connect devices that use the same Apple ID, signed into iCloud. Only then will the Handoff features be enabled.

Given the systems limitations imposed and the fact that adding a Bluetooth LE dongle to your older Mac won't enable Continuity, it's likely there are other checks in place as well. But in typical fashion, Apple's not saying.

Still feeling cynical? You can opt out of this feature as well, even if you want to stay logged into iCloud on all your devices. Just go to the General pane in System Preferences and make sure the box next to Allow Handoff between this Mac and your iOS devices is unchecked.

Yes, you can change Safari's new URL display in Yosemite--but here's why you might not want to

You may have noticed a change in the way Safari displays web addresses in Yosemite. If you don't like it, you're certainly not alone--our own Kirk McElhearn dubbed it one of Yosemite's most annoying quirks. You may even be considering changing it back to the old behavior. It's certainly easy enough to do (and I'll even tell you how shortly), but before you jump on the give-me-back-my-full-web-address bandwagon, allow me to suggest that you leave things just the way they are.

Prior to Yosemite, Safari (and most other web browsers) displayed a web page's full URL--or at least as much of it as would fit in the address field. Beginning with iOS 7 (and continuing with Yosemite), Apple showed only the domain of the web page. In other words, if you visited www.apple.com/mac or apple.com/iphone, both would appear simply as apple.com in Safari's address field.

It's easy to assume that Apple altered the URL display solely because it liked the cleaner look. But the change also carries a security benefit, and aesthetics aside, that's why you might want to leave things just as Apple intended.

Say what you will about hackers, phishers, and other seedy denizens of the Internet, they can be a clever bunch. For one thing, they figured out that people were used to incredibly long, server-generated URLs, and stopped paying much attention to what appeared in the address field. They took advantage of this by creating intentionally long and convoluted addresses that spill out the back of the visible address field so that you can't see the real domain appended at the end. That .com you see early in the address may have another dot to the right, rather than a forward slash, which means that first whatever.com is bogus.

Apple's new display method cuts through all the clutter and shows us the real domain--front and center and stripped of all misdirection.

It's also worth noting that when you're on a legitimate, secure site, even the padlock indicator shares center stage with the domain name, arguably making it even more noticeable than in previous iterations.

So, before you revert back to that pre-Yosemite display, consider that it might be doing you a favor. And bear in mind that if you want to see the full URL in Yosemite, simply click in the address field and you'll see your web page's full URL in all its geeky, near-infinitely-long glory.

If you're still not convinced, open Safari's preferences, select Advanced, and enable the Show full website address option near the top of the window.

All's well that ends well

Staying safe online is a balance between convenience and security. Yosemite boasts lots of new features that make your Mac more useful than ever--especially in combination with your iPhone or iPad. Apple has put a lot of thought into its security and privacy implications. But to the company's credit, these features are all optional for those who don't consider the rewards worth the risk.

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplesecurityOS X Yosemite

More about AdvancedApple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Chuck La Tournous

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts