[HN Gopher] Updating from macOS Ventura to Sonoma Silently Enabl...
___________________________________________________________________
Updating from macOS Ventura to Sonoma Silently Enables iCloud
Keychain
Author : frizlab
Score : 52 points
Date : 2024-05-19 19:44 UTC (3 hours ago)
(HTM) web link (lapcatsoftware.com)
(TXT) w3m dump (lapcatsoftware.com)
| saurik wrote:
| This isn't the first time, nor will it be the last: the only
| reason I'm actually using iCloud Keychain is because, despite
| always turning it off and feeling like I needed to keep doing it
| over and over again every time I got a new device, one day I was
| in a discussion with someone about it and I went to show them how
| I turn off most of the iCloud features, and I discovered I had
| actually failed and now had already been using iCloud Keychain
| and so all my passwords were already in it.
| tailspin2019 wrote:
| I had the exact same experience with iCloud Drive (or whatever
| it is/was called) years ago. I kept turning it off and never
| agreed to use it and one day discovered it was on anyway and a
| bunch of my stuff was already in the cloud.
|
| Pretty egregious behaviour.
| plorkyeran wrote:
| Isn't the workaround here to back up your keychain file, remove
| your passwords from the keychain, update to Sonoma, disable
| iCloud keychain, then import the backup? Not a trivial process,
| but should be easier than the author's attempted workaround of
| disabling SIP and installing while offline.
|
| Long term I suspect the actual answer will be that if you don't
| want to use iCloud Keychain then you just can't use the keychain
| at all, which is a shame as it once was one of the good parts of
| macOS.
| lapcat wrote:
| > should be easier than the author's attempted workaround of
| disabling SIP and installing while offline
|
| Disabling SIP wasn't an issue, because I had already done it to
| eliminate slow app launches:
| https://lapcatsoftware.com/articles/2024/2/3.html
|
| On my second attempt, I managed to update without an internet
| connection. See the new addendum to the article.
| nhod wrote:
| i understand and agree that this should at the very least have an
| opt-in dialog box.
|
| that said, apple did add the option for end-to-end encrypted
| "advanced data protection" for the majority of icloud data a year
| or so ago.
|
| perhaps they also enabled it by default in sonoma?
|
| https://support.apple.com/en-us/108756
| lapcat wrote:
| > perhaps they also enabled it by default in sonoma?
|
| No, they didn't.
|
| Anyway, iCloud Keychain has always been end to end encrypted.
| TillE wrote:
| Right, it's obviously end-to-end encrypted because if it
| weren't, everyone would have been screaming for years about
| how horrendously insecure it was.
|
| iCloud Keychain is fine, just use a good password. There's no
| particular harm in letting Apple store an encrypted blob for
| you on its servers.
| SpikeDad wrote:
| And only enabled if 2FA is enabled. It won't work without (as
| won't many Apple services).
| CharlesW wrote:
| Even with so-called standard data protection, iCloud Keychain
| passwords are always end-to-end encrypted, and Apple cannot
| decrypt them.
|
| "For additional privacy and security, 15 data categories --
| including Health and passwords in iCloud Keychain -- are end-
| to-end encrypted. Apple doesn't have the encryption keys for
| these categories, and we can't help you recover this data if
| you lose access to your account."
|
| https://support.apple.com/en-us/102651
| throw20240511 wrote:
| Gah, I didn't realize that iCloud Keychain was enabled
| automatically on ios17. I checked and it's been on for months.
| Why would they do this?
|
| I remember when Microsoft uploaded people's personal wifi creds
| in Windows 10. It's all highly suspect.
|
| Stop it. This over sharing by default will doom us all.
| ChrisMarshallNY wrote:
| Actually, I figured it out, when an app I wrote, that uses the
| keychain, started allowing me to log into the app, using Sign
| in with Apple (which has some stuff that is only available when
| the login is set up), on devices that were not the ones that I
| set up.
|
| In my case, I liked that, and so will my users.
|
| But I do think that it could be problematic, if this means that
| authorities could now get ahold of your keychain, when having
| it restricted to a single device, avoids that.
| LeoPanthera wrote:
| Presumably, only if you already have an iCloud account, and are
| signed in?
| wila wrote:
| I had to blink twice last time when I installed Sonoma on a new
| partition that I did not have to provide a wifi password. This
| appears to confirm that. While I can understand that some people
| would appreciate this, I'm not exactly chuffed by a fresh install
| silently grabbing passwords from an old install.
| LeoPanthera wrote:
| That is not related. Mac computers store the last successful
| wifi credentials in in the EFI, and use them to give macOS
| Recovery internet access.
| spaceguillotine wrote:
| if you have an iPhone, iPad or any other logged in device with
| the wifi password it will auto grab it from that device without
| you doing anything.
___________________________________________________________________
(page generated 2024-05-19 23:01 UTC)