Joe Kissell Takes Control of Apple Mail in iOS 11 and High Sierra
It’s been a while since the previous edition of Take Control of Apple Mail was published, so I had a lot to catch up on in my interview with Chuck Joiner on MacVoices. I’m not exactly a green rage monster this time, but there are a number of things about Mail I’m…less than happy about. If you feel the same way, I hope you find this interview therapeutic.
What You Need to Know About the EFAIL Vulnerability
Note: Please see the end of this article for updates.
Just hours before the scheduled release of Take Control of Apple Mail, Fourth Edition, my Twitter feed started blowing up with Urgent! Breathless! Warnings! about a newly discovered vulnerability that affects email messages encrypted with S/MIME or OpenPGP, about which I have a whole chapter in my book (“Sign and Encrypt Messages”). And my first thought was, oh, great, my book needs revising before it’s even out. I’ve now examined the original report that prompted the warnings and have a better understanding of the situation, which I’d like to share with you here, and which I plan to update as new facts emerge. Let me start with this, however:
The sky is not falling.
Yes, there is a problem, but (a) the odds that you will encounter it, even if you regularly use email encryption—and most people don’t—are incredibly small; (b) there are easy temporary workarounds; and (c) it is being fixed even as I type these words.
Let’s go over the details.
A team of European researchers found a vulnerability that they’ve dubbed EFAIL. That site summarizes the issue; their complete technical paper (PDF) is here. The very short version of the problem is that there is a technique that an attacker could potentially use to cause your email client to send the decrypted contents of an encrypted message to outside parties. This technique exploits a combination of weaknesses in two encryption standards, design flaws in certain modern email clients (Apple Mail among them, on both macOS and iOS), and less-than-ideal default settings. It works only when you receive and open a message that contains a hidden copy of encrypted email you’ve already sent or received—meaning you are almost certainly being targeted directly. And it affects both of the most common encryption methods—S/MIME (built into most email clients) and OpenPGP (used by GnuPG and other software).
In order for this exploit to work, the attacker must already have encrypted messages sent to or from you. (There are numerous ways these could be obtained, but all of them require the extra, and sometimes quite challenging, step of first hacking into your email in some way.) Once that’s done, the attacker takes the encrypted contents of one or more of these messages and hides it in a new, specially crafted, encrypted message sent to one of the original senders or recipients (and, presumably, made to look as though it comes from a trusted source). When the victim opens this message, their email client decrypts it and sends the attacker the plaintext contents of the encrypted message(s) hidden within it. So, this doesn’t give the attacker the ability to freely read all your encrypted email, only those specific messages sent to you or the other party in the email transaction in this sneaky way.
Why You Probably Don’t Have to Worry
EFAIL almost certainly won’t affect you, even if you take no action. Here’s why:
Very few people encrypt their email anyway. If you’re not using S/MIME or OpenPGP—and believe me, you’d know it if you were—there’s just nothing to see here.
I have seen no evidence, or even hints, that this exploit is being used, or has ever been used, in the wild. As far as I know, only the researchers who discovered the technique have actually tried it. (Obviously, that could change in hours or days, but it’s not like the bad guys have been actively using this already.) And remember, even if or when it does get out into the wild, an attacker can’t use this on you without first obtaining the existing encrypted email messages from your account that they want the contents of. That’s a nontrivial extra step.
The companies that make the affected email clients and third-party software are working on fixes right now. For example, the team that makes GPGTools has already tweeted that a mitigation is imminent, in GPGTools 2018.2, and that there’s an easy workaround in the meantime (about which, read on). And if Apple doesn’t address this in macOS 10.3.5 and iOS 11.4 within days, I’ll be shocked. (In other words: the vulnerability will likely be eliminated before anyone has time to exploit it.)
As the EFAIL researchers point out, although the developers of apps like Apple Mail, Thunderbird, and GPGTools can and should fix a variety of vulnerabilities, a complete and permanent fix requires changes to the S/MIME and OpenPGP standards, which will take longer. Even so, I fully expect the problem to resolve itself before it has any meaningful real-world effect.
What You Can Do Now
Long story short, flipping one switch is probably adequate.
If you are using Apple Mail on a Mac, and are actively using S/MIME or OpenPGP, the quickest and easiest way to immunize yourself against the most likely forms of this attack is simply to uncheck one box:
Go to Mail > Preferences > Viewing.
Uncheck “Load remote content in messages.”
Close the Preferences window.
(I already had this unchecked in my copy of Mail, and have long recommended that other people do so too, because loading images from HTML messages is often used for tracking, and although some of this tracking is entirely benign, I prefer a little more privacy than the default.)
The Electronic Frontier Foundation (EFF) recommends going further—removing the GPGMail plugin (if you use it) to prevent Mail from decrypting messages automatically at all. But I agree with the GPGTools developers that this step is entirely unnecessary.
On an iOS device, do this:
Go to Settings > Mail.
Turn “Load Remote Images” off.
And that’s it.
A Few Last Remarks
In the paper that kicked off this whole crisis, the researchers included tables detailing which of the tested clients, on various platforms, are vulnerable to each of several variations on this attack. Interestingly, Canary Mail for iOS, an OpenPGP client I mention in my book, is not vulnerable. (The researchers didn’t test the Mac version, but I assume it’s also safe.) So, if you rely on OpenPGP-encrypted email on a Mac or iOS device, switching (even temporarily) to this client might be something to consider.
Finally, and I’ve said this many times in many books, keep your software up to date. All these fixes that developers are working on do you no good if you don’t install them. So please, keep up with system updates and security fixes for macOS and iOS, and make sure your third-party apps are also up to date.
If any significant new developments arise, I’ll update this article accordingly.
Update 2 (June 9, 2018): On June 4, GPG Suite from GPGTools was updated to version 2018.02, with mitigations for EFAIL. Apple also says that macOS 10.13.5 (released on June 1) addresses S/MIME vulnerabilities, although testing by the GPGTools developers indicates that Mail remains vulnerable to some EFAIL-related exploits.
Update 1 (May 31, 2018): Contrary to my expectations, neither Apple nor GPGTools has yet delivered an update to address this problem. I still expect fixes soon, but they didn’t happen as soon as they should have. In addition, one researcher has published a proof of concept exploit that could theoretically put your email at risk even if you disable the loading of remote images as described above. (And in any case, I should note that any mitigations you undertake on your own devices won’t help if your correspondents’ devices are compromised.) Even so, I have yet to hear of any real-world attacks involving the EFAIL vulnerability, and I still believe the sky is not falling. But I sure wish the security folks at Apple and elsewhere would kick their bug-fixing into high gear.
Apple Watch updated; Apple Watch book, not so much
In the nearly three years since the Apple Watch was introduced, we’ve seen four hardware iterations, four operating system releases, and millions of orders, making it a fairly mature product by modern tech standards.
During that time, we’ve also seen four releases of Apple Watch: A Take Control Crash Course, including the first version we published before the watch was even released. And now…well, we think four is a pretty good number, for now. Sales of the book aren’t enough to justify updating the manuscript to account for the changes in Apple Watch Series 3 and watchOS 4.
That turns out to be a pretty good opportunity for you and/or dozens of your Apple Watch-owning friends, because we’ve put together a great deal. Looking over the current version, easily 95% of the information is still relevant and helpful to anyone with an Apple Watch. Want to install apps, customize watch faces and complications, get driving or walking directions, or send messages? It’s all there.
Here’s an overview of what’s changed in the Apple Watch that isn’t specifically in the book:
The Apple Watch now runs watchOS 4, which represents more of a focus on fitness activities and technologies used in Apple’s ecosystem. watchOS 4 runs on all versions of Apple Watch, even the original “Series 0” hardware.
The Dock, which comes up when you press the side button, now displays apps as a layer of cards representing the most recent apps you’ve used. In the Watch app on the iPhone (in My Watch > Dock), you can change that to display Favorites, and put the apps in the order you prefer.
The app screen is, by default, the same blobby collection of circular app icons, but now there’s an alternative. Force-touch the app screen and choose List View to see the apps as a scrolling list.
Apple introduced a few new watch faces in watchOS 4. The Siri face is named because it has a prominent Siri button you can tap (if you’d prefer to invoke the assistant with a tap instead of pressing the digital crown or raising the watch and saying, “Hey Siri”). It also features informative cards that display things such as Apple News items, calendar events, and reminders. Also new is a Kaleidoscope face that takes photos and mirrors them into geometric patterns. And I also confess an affinity for the dozens of fun, animated Toy Story-themed faces.
The Apple Watch Series 3 includes a model with built-in cellular networking, which means the iPhone doesn’t need to be connected to the watch to use wireless features such as messaging, phone calls, or streaming music playback. Prices to enable the cellular feature vary among wireless providers, but in most cases it’s an extra monthly fee.
The Apple Watch Series 3 models also include an altimeter, a faster processor, more internal memory, and Bluetooth 4.2 wireless networking.
watchOS 4 adds the capability to stream music with an Apple Music subscription, versus syncing music tracks to the device separately. It also supports sending and receiving money via Apple Pay’s peer-to-peer payment feature.
The fitness features in watchOS 4 include more types of workouts, as well as compatibility with several gym equipment models to sync more detailed real-time workout data as you’re exercising.
Apple incorporated more coaching prompts and reminders to the activity features, providing nudges throughout the day if, for example, your exercise ring isn’t as far along at some point compared to the same time on other days. It sounds like a nagging feature, but in my experience, Apple has found a good balance between motivation and exasperation.
These are mostly refinements for what was already in the Apple Watch experience since the last release of Apple Watch: A Take Control Crash Course. If you’re looking for a great guide that covers all of the other foundational topics about the watch, take advantage of our new pricing for the book at just $5.
What Happened to Read Me First: A Take Control Crash Course?
Thanks for your interest in my ebook, Read Me First: A Take Control Crash Course! Written in 2014, this title was available for free from the Take Control website until midway through 2017, when it was withdrawn because the screenshots were dated and the information wasn’t always accurate for new versions of macOS.
When I wrote this ebook, I was editor-in-chief of the Take Control series, and I wrote it largely so we didn’t have to repeat certain topics in other Take Control titles. Of these, the three biggies were figuring out what version of macOS or iOS you were running, launching the System Preferences app on the Mac, and understanding directory paths. Keep reading below for tips on these three tasks.
The 49-page ebook did cover a few other topics, and if you’re running 10.9 Mavericks, 10.10 Yosemite, or 10.11 El Capitan and really want a copy of the PDF, feel free to ask at firstname.lastname@example.org. Some time after this title lived out its useful life, I used it as the starting point for another ebook, Take Control of Mac Basics. Weighing in at about three times the page count, Take Control of Mac Basics costs $15 and covers even more of the fundamentals of using a Mac while sharing oodles of tips for improving your everyday Mac experience.
Finding Your System Version
To complete this simple task on the Mac, move the pointer to the upper-left corner of the screen and click the Apple icon. Choose About This Mac from the menu. A window appears. Text in this window tells you the operating system version. Where, exactly, that text appears depends on which version. Look carefully and you’ll find it.
What about iOS? In iOS, open the Settings app and tap General. Then, tap About. Look on the About screen for the Version line, which will provide the version of iOS.
Launching System Preferences
Imagine this. You want to change the background image on your Mac’s Desktop. You search in Google for instructions and find an article that promises to tell you what to do. But, it tells you to open System Preferences. Okay, fine… but where is System Preferences? For that matter, what is System Preferences?
First, it’s an app that provides a home for “preference panes,” most of which come from Apple and let you configure various aspects of your Mac experience. Other preference panes are installed by third-party apps.
To open System Preferences, click the Apple icon at the upper-left corner of the Mac screen. Then, choose System Preferences. That’s the most obvious and reliable method, but there are lots of other methods, such as clicking its gear icon in the Dock, pressing Command-Space to invoke Spotlight, and then typing “sys,” and even clicking the round Siri icon on the menu bar and saying “open System Preferences” (assuming you’re running macOS 10.12 Sierra or later and have Siri enabled).
Any file or folder on a Mac can be found by navigating from a known starting point—usually the main level of a drive, through any intervening folders, to the item. Instead of writing out all that navigation with a lot of “Open this, then open that,” we use a path.
For example, if I want to tell someone where to find their Photos Library, I could say “open your home folder. Then open your Pictures folder. That’s where you’ll find a file called Photos Library.photoslibrary.” That’s a lot to write out and boring to read. So, instead, I could use a path and say, “You’ll find your Photos Library at /Users/homeFolder/Pictures/Photos Library.photoslibrary.”
A Tilde ~ in a Path
Paths like the one above that tell you to go to a spot inside the home folder can be awkward, since the writer can’t know the name of your home folder. Fortunately, there’s a shortcut. To indicate more gracefully that a path includes the user’s home folder, a writer might begin the path with a tilde character, like this: ~/Pictures/Photos Library.photoslibrary.
Typing or Pasting a Path
Instead of following a path by clicking from folder to folder in the Finder, you might wish to type the path—or copy and paste it. Pasting is handy when you want to follow a complex path that you see in an ebook or on the Web—you can copy the path using the Edit > Copy command and then paste it with Edit > Paste. Typing a path can also be a useful way to view a folder that is normally hidden. For example, if the instructions for some Unix task tell you to look in /var/log, this is your only method of navigating there—unless you want to work on the command line.
To follow a path by typing or pasting it, follow these steps:
In the Finder, choose Go > Go to Folder.
Enter the path by typing or pasting it, if you’ve already copied it.
Click the Go button.
A Finder window opens, showing the folder whose path you entered.
Try This Quick Tip for Making Your Pointer Easier to See
Yesterday was the first webinar for Take Control of Mac Basics, and I had fun sharing my actual Mac screen with viewers as I demonstrated some of my favorite Mac features. One viewer commented, however, that he had trouble seeing the mouse pointer. “Drat!” I thought, “I’m sure there’s a way to enlarge the pointer, and I wish I’d thought of that before starting the webinar.” Sure enough, its easy to make this change: go to System Preferences > Accessibility > Display, and drag the Cursor Size slider as desired. Saturday’s show will feature the pointer at nearly the largest size! (To access the webinars, make sure you have version 1.1 of the ebook and look in the chapter “The Mac Basics Webinar.”)
Joe Discusses the New Editions of His “Mac Fitness” Books
I joined Chuck Joiner on MacVoices (audio and video) to discuss the new editions of Take Control of Backing Up Your Mac, Take Control of Maintaining Your Mac, Take Control of Troubleshooting Your Mac, and Take Control of Speeding Up Your Mac—including their transition from Joe On Tech books back to the Take Control world:
You can now watch MacVoices #17219, “Tonya Engst Takes Control of Mac Basics.” In this video podcast, author Tonya Engst and MacVoices host Chuck Joiner consider what Mac features are basic enough to fit into the 140-page Take Control of Mac Basics ebook. Tonya also shares several interesting tips, and describes what happened behind the scenes as she created her book.
You may have seen the news about KRACK, a Wi-Fi exploit that can allow a determined invader to sniff traffic on your network encrypted with the latest and greatest WPA2 protection and decipher some or all of it. There’s a reason to be concerned: it affects every Wi-Fi radio ever made that uses WPA2, which is all of them since about 2003. However, in practice, someone has to be close to your network and use cracking software that doesn’t yet exist: the researcher who discovered the set of flaws exercised responsible disclosure, and thus malicious parties still have to figure out how to take advantage of these defects.
The flaws largely exist on the client side, so operating system and firmware updates on computers, phone, tablets, gaming devices, smarthome switches, and other equipment will take care of the problem. Base stations will be updated, too, preventing misuse of any device (even an unpatched piece of equipment) on updated networks.
What do you need to do? Apple already has updates in the latest betas for all its operating systems that will prevent these attacks from being used. iOS 10 and earlier users who can’t update or don’t want to will be in an awkward position, however, because their devices will remain vulnerable on networks that have unpatched or non-upgradable access points. Read more about this in my article at TidBITS, “Wi-Fi Security Flaw Not As Bad As It’s KRACKed Up To Be.”
Minor update to “Take Control of Upgrading to High Sierra”
Just hours after releasing version 1.1 of Take Control of Upgrading to High Sierra today, I learned about a few last-minute issues, not the least of which was that Apple had changed the minimum system requirements for installing High Sierra and I hadn’t noticed before version 1.1’s publication. (It was OS X 10.7.5, but now it’s 10.8.) A few other small things cropped up too, enough that I decided to push out a quick version 1.1.1 to address these small issues.
The Apple Watch sits solitary on your wrist, but it’s never been entirely alone. Every model since the beginning has relied heavily on the wireless Bluetooth connection to an iPhone for most of its smarts: running apps, looking up weather, interacting with Siri, and more.
Starting with the just-announced Apple Watch Series 3, that invisible tether can be snipped—mostly. The new models incorporate a radio chip that enables the watch to communicate with LTE cellular networks on its own. You can go for a run and leave the phone behind without worrying that you’re incommunicado.
A cellular Apple Watch has a few advantages: Siri is apparently faster, according to Apple, because the request isn’t being routed through the phone first. You can place and receive phone calls directly (although doing so drains the battery significantly, to the tune of about one hour of talk time). If you have an Apple Music subscription, you can stream Apple’s entire catalog via the watch (presumably to a set of AirPods, although the speaker will work, too).
Personally, I’m geeking out at the fact that Apple is using the entire OLED screen as the cellular antenna, which means the watch remains the same size and design as previous models. There’s a lot of sophisticated circuitry under that water-sealed case.
The Series 3 watches (which are also available in non-cellular configurations) boast improved performance thanks to a faster dual-core processor and elevation sensing via a new barometric altimeter. For more details, see Apple Watch Series 3 Goes Cellular.
Of course, Apple also offers a bunch of new bands (although I’ve found perfectly good alternatives that cost decidedly less online), and if you’re looking for something different in terms of style, a new gray ceramic model is now available.
All of the Series 3 watches are available for pre-order now starting at $349. They start to ship Sep. 22.