Mac Certificate Check Stokes Fear That Apple Logs Every App You Run

Last week, Apple released macOS Big Sur and the rollout was anything but smooth. The mass upgrade caused the Apple servers responsible for checking if a user opens an app not downloaded from the App Store to slow to a crawl. Apple eventually fixed the problem, "but concerns about paralyzed Macs were soon replaced by an even bigger worry -- the vast amount of personal data Apple, and possibly others, can glean from Macs performing certificate checks each time a user opens an app that didn't come from the App Store," writes Dan Goodin via Ars Technica. From the report: Before Apple allows an app into the App Store, it must first pass a review that vets its security. Users can configure the macOS feature known as Gatekeeper to allow only these approved apps, or they can choose a setting that also allows the installation of third-party apps, as long as these apps are signed with a developer certificate issued by Apple. To make sure the certificate hasn't been revoked, macOS uses OCSP -- short for the industry standard Online Certificate Status Protocol -- to check its validity. [...] Somehow, the mass number of people upgrading to Big Sur on Thursday seems to have caused the servers at ocsp.apple.com to become overloaded but not fall over completely. The server couldn't provide the all clear, but it also didn't return an error that would trigger the soft fail. The result was huge numbers of Mac users left in limbo.

The post Your Computer Isn't Yours was one of the catalysts for the mass concern. It noted that the simple HTML get-requests performed by OCSP were unencrypted. That meant that not only was Apple able to build profiles based on our minute-by-minute Mac usage, but so could ISPs or anyone else who could view traffic passing over the network. (To prevent falling into an infinite authentication loop, virtually all OCSP traffic is unencrypted, although responses are digitally signed.) Fortunately, less alarmist posts like this one provided more helpful background. The hashes being transmitted weren't unique to the app itself but rather the Apple-issued developer certificate. That still allowed people to infer when an app such as Tor, Signal, Firefox, or Thunderbird was being used, but it was still less granular than many people first assumed. The larger point was that, in most respects, the data collection by ocsp.apple.com wasn't much different from the information that already gets transmitted in real time through OCSP every time we visit a website. [...] In short, though, the takeaway was the same: the potential loss of privacy from OCSP is a trade-off we make in an effort to check the validity of the certificate authenticating a website we want to visit or a piece of software we want to install.

In an attempt to further assure Mac users, Apple on Monday published this post. It explains what the company does and doesn't do with the information collected through Gatekeeper and a separate feature known as notarization, which checks the security even of non-App Store apps. The post went on to say that in the next year, Apple will provide a new protocol to check if developer certificates have been revoked, provide "strong protections against server failure," and present a new OS setting for users who want to opt out of all of this. [...] People who don't trust OCSP checks for Mac apps can turn them off by editing the Mac hosts file. Everyone else can move along.

Fear?

[ebonum]

More like: makes it widely known.

Re:

[Joe_Dragon]

Testing app store only by slowly locking out non apple stuff? But not full app store only as some apps will not run in the sandbox.

Opt out? HAHAHAHAHA !

[stooo]

Fear ? Opt out ?
What a bunch of liars at apple.
Yes, they log every step you do on their computer you lease from them, and they want to give you an OPT OUT option !
HAHAHAHAHA !
Apple in 2020. A joke.

in Soviet Russia

[Anonymouse Cowtard]

In Soviet Russia, Apple eats YOU!

I'm Shocked Shocked I tell you

[oldgraybeard]

that there is gambling going on here.
An Apple app checking for authorization(a code signed app, with an authorized apple deployment profile) to run on each and every device it is on at every startup.

Skeptical

[battingly]

I'd like to know how they're going to do an encrypted check of a cert revocation, which itself will need a check for a cert revocation. It's turtles all the way down.

Re:

[raymorris]

Whoever said they were going to do "an encrypted check of a cert revocation"?

> which itself will need a check for a cert revocation. It's turtles all the way down.

One could use two roots to check each other. That's not needed because everyone uses the root. If people know you're checking a root, what does that tell them? There is no privacy issue there.

Re:Skeptical

[Anonymous Coward]

They don't need to do an encrypted check. Part of the code signing process at compilation time includes in the binary/package the public key portion of the developer certificate that was used to sign it. The SHA256 thumbprint (previously SHA1) is what gets transmitted to ocsp.apple.com to check whether or not that particular certificate has been revoked, which is easy for Apple to check because they're the CA and so have signed all of the Apple Developer certificates.

If the iDevice/Mac cannot communicate with ocsp.apple.com, or gets HTTP errors, it assumes that the certificate is OK* which is why editing your HOSTS file to include 127.0.0.1 ocsp.apple.com works to disable this functionality.

At the end of the day this code signing and OCSP process works exactly the same way as on Windows (aka. Windows SmartScreen aka. Windows Defender SmartScreen) and linux. I don't hear anybody complaining about that.

* there are other conditions, such as whether or not the current time is between the certificate's validFrom and validTo properties, whether or not the binary/package was timestamped at the point of code signing, but that's it in a nutshell.

Re:

[TechyImmigrant]

I enjoy frustrating cryptographers by asking them to explain in terms a normal human would understand, how homomorphic encryption is useful. Replacing OCSP with something that gives nothing away is actually one of those things, but they never come up with that.

Re: Skeptical

[SleepingEye]

I like how you associate a website technology that is off by default, and told to you what they're doing... to a silent all app on my pc check.

Re:

[dabadab]

At the end of the day this code signing and OCSP process works exactly the same way as on Windows (aka. Windows SmartScreen aka. Windows Defender SmartScreen) and linux. I don't hear anybody complaining about that.

Yeah, it totally works like that in Linux.
Except that it does not. Not at all. None of this horrible privacy intrusion is there.

Please stop making up shit to defend Apple.

Re:

[lessSockMorePuppet]

Uh, no, apt-get doesn't send things out to check a certificate. It does that locally.

Re:

[Joce640k]

I'd like to know how they're going to do an encrypted check of a cert revocation, which itself will need a check for a cert revocation. It's turtles all the way down.

Not if there's a separate public key for the revocation check.

Re:

[stooo]

Encrypted ?
Don't you know encryption is opt-in ? :)

Wait a minute.

[Fly Swatter]

So if YOUR program (sorry, app) can't be verified by phoning home (sorry, Apple) while an internet connection is otherwise working, no app for you? Is this not a potentially huge single point of failure for everyone's Apple machine?

Re:

[oldgraybeard]

There has to be some by pass code. Otherwise a non connected mac would have real problems, so would iOS for that matter. None of my dev iPads have Cell ,except one. And they work fine with no wifi.
Ok maybe the apps only test at install. But how do they know my dev cert/deployment profile expired. Just went through that. So there must be at least one attempt to connect.

Re:Wait a minute.

[_xeno_]

There has to be some by pass code. Otherwise a non connected mac would have real problems, so would iOS for that matter.

There is. Apple's verification code will only try and verify the revocation status via OSCP if it can find the OSCP server via a DNS lookup and then even then if the connection attempt fails it'll just assume the certificate is still valid.

The failure was that the server was responding, starting the connection, and then that was it, it would never complete the connection or do anything. If you waited long enough, the attempt would time out, but it would take quite a while.

But if you're offline or if you can't connect to the OSCP server, stuff will still work for the most part. (Apparently the timeout on the connection attempt is much quicker.)

Re:

[oldgraybeard]

Make sense ;) thxs

Re:

[oldgraybeard]

Make->Makes
Darn! I just can't type today

Re:

[Shades72]

Wasn't there a 30 second wait period (maximum) built into the TCP protocol (before a networked device determines the connection is bad)?

While waiting 30 seconds doesn't happen often, such a waiting period feels like forever, when working in an application. Or starting/closing any networked software on any computer that supports the TCP protocol.

So, no. You won't wait a minute, just half a minute...

Re:

[Computershack]

That felt like what was happening on my MBP as apps would launch but with the same delay. Not knowing what was happening and with a MBP with a SSD that's now 6 years old I started to suspect the SSD failing.

Re:

[nottooloud]

So glad to know what this is. I am frequently on closed networks, and my Mojave laptop has been doing the slow app startup for two years. Unplug the ethernet, boom, all the apps start, plug it back in, good to go. Makes me crazy. Now I can fix it.

Re:

[gnasher719]

So if YOUR program (sorry, app) can't be verified by phoning home (sorry, Apple) while an internet connection is otherwise working, no app for you? Is this not a potentially huge single point of failure for everyone's Apple machine?

A single point of failure in a hacker's plan to break into your machine by download some hacked application.

Re:

[ceoyoyo]

I guess you missed the part where it assumes the certificate is good if it fails to contact the server?

Re:

[MadMaverick9]

If you have not experienced at least a few of these issues, then you have already succumbed and you are being fucked in your ass.

Re:

[gtall]

"you are being fucked in your ass". You appear to find this erotic. Come out already, you'll feel better about yourself.

A push model is obviously the correct way

[Pinky's Brain]

Doing certificate revocation using a pull model is stupid.

They probably do do push

[SuperKendall]

Doing certificate revocation using a pull model is stupid.

Since Apple supports push to the desktop, they probably are able to revoke certificates via push.

More stupid still is to rely on a single mechanism.

Re:

[TechyImmigrant]

Doing certificate revocation using a pull model is stupid.

Since Apple supports push to the desktop, they probably are able to revoke certificates via push.

More stupid still is to rely on a single mechanism.

There is no shortage of things about the current PKI model that can be described as being stupid. OCSP is one of the corner cases. Still stupid, but there is plenty of low hanging fruit of stupidity before you get to OCSP.

Re:

[munch117]

The only thing just as stupid is using a push model...

Push revocations are O(number_of_certificates_in_the_world). With a small constant, sure, but it still has the capacity to be overwhelming. What would you say to 100MB of revocations coming over the metered internet connection to your phone every month?

Re:

[tlhIngan]

Push revocations are O(number_of_certificates_in_the_world). With a small constant, sure, but it still has the capacity to be overwhelming. What would you say to 100MB of revocations coming over the metered internet connection to your phone every month?

Certificate Revocation Llists (CRLs) are deprecated because they were getting so large it was actually problematic syncing them all. That's why it moved from a universal list of revoked certificates to OCSP where you can query certificates as and when you nee

Re:

[Pinky's Brain]

You're not revoking 100MB of certificates at a time. Certainly not appstore certificates, which is a tiny pool by comparison.

Bluetooth issues

[Ol Olsoc]

I'm getting support for a Bluetooth issue. My upgrade went smooth, but my BT headset will connect, then disconnect after about 5 seconds, and you can't hear anything at those times. If they don't fix it within a week, I'll revert back to Mojave.

With my hearing problems, a nose cancelling total cover headset is pretty mandatory - my wife has very good hearing, and gets irritated at the slightest sound.

Re:

[Ol Olsoc]

my wife has very good hearing, and gets irritated at the slightest sound.

You have a disability and your wife gets upset over it? Sorry to briing this up, but that sounds pretty fucked to me.

Yes, it is messed up. An example is two nights ago, I didn't have socks on, and I was moving my feet back and forth across the floor. (I'm a fidgeter and not very good at sitting perfectly still) Made some noise apparently. Well, I caught hell for that. Meanwhile, she wonders why I spend as much time as possible in my office. Married life.

To late your in the Apple

[oldgraybeard]

walled garden. No sense worry about the bottom after you jumped off the cliff.

Re:

[Anonymous Coward]

The thing about the Apple Silicon transition...

Why would you gimp an iPad Pro by removing touch, adding a non detachable keyboard, employing a dated desktop metaphor and yet only for the same walled garden telemetry experience?

Woz, if he weren't still with us, would be turning in his grave.

Interesting...

[AlexHilbertRyan]

Its interesting that of the major choices for OS, Linux is headed by a European, while the spying and lack of human respect O/S like Apple and Microsoft are from the land of Freedom.

Re:

[Computershack]

You might want to do some research into what Canonical did with Ubuntu in 2011. Ubuntu phoning home to do the same as Windows et al did was a big story in the tech world at the time.

/etc/hosts solution

[ugen]

In /etc/hosts add an entry for:
127.0.0.1 ocsp.apple.com

Problem solved.

Re:

[Pinky's Brain]

They don't respect VPN settings but they do respect /etc/hosts?

Re:/etc/hosts solution

[Shades72]

Not likely. Better get your old computer from your attic or basement and turn it into a pfSense or OPNSense firewall/routing device. Place it between your ISP's modem and your computer(s). Disable the WiFi from the modem and install your own WiFi device(s), also behind that router.

Put any kind of traffic filter you think you need on that router and you have made an environment that Apple computers (or Windows for that matter) won't be able to circumvent. Because if the router is configured to say no to certain traffic, Apple/Microsoft can circumvent their own software as they please, but your router will be like Gandalf, shouting: "thou shall not pass!!" to the Balrog at/on the bridge in Moria.

Yes, it requires more knowledge on your end, but it ain't that hard. Once you have a decent enough grasp of it, you'll find you are boss in your own network again.

Heck, once you have that up and running, add DNS management to that router and you'll see less (or more generic) adverts when surfing with any device behind that router.

Re:/etc/hosts solution

[BeaverCleaver]

It's targeted more at ad-blocking, but I have been very happy with Pi-Hole: https://pi-hole.net/ [pi-hole.net]

I am decidedly NOT a networking expert but it was very straightforward to set up. I don't use Apple products, but it should be easy enough to add this authentication from Apple to Pi-Hole's blacklist, which would allow it to fail gracefully, and transparently to the user.

Re:/etc/hosts solution

[uufnord]

ocsp.apple.com canonical name = ocsp-lb.apple.com.akadns.net.
ocsp-lb.apple.com.akadns.net canonical name = ocsp.g.aaplimg.com.
Name: ocsp.g.aaplimg.com
Address: 2620:149:a18:f000::7
Name: ocsp.g.aaplimg.com
Address: 2620:149:a18:f100::6

Don't forget IPv6

Re:/etc/hosts solution

[Kitkoan]

This reminds me of the old argument "If you want to do X on iOS, you just need to jailbreak it. Its easy". Sure, your solution might work today, same as jailbreaking did then, but with time Apple will "patch" that hole.

Re:

[TechyImmigrant]

In /etc/hosts add an entry for:
127.0.0.1 ocsp.apple.com

Problem solved.

Old school slashdotters can be easily triggered by mention of hosts files.

Re:

[antdude]

And then, Apple will ignore that file. IIRC, MS did this with its own Windows. :(

One chance to make a good first impression ...

[sk999]

... and Apple has butchered it. I have enough stress. My wireless router kicked the bucket after 10 years - what to get? My DSL modem (yes still using that) became flaky after 17 years - do they still make these? Three power outages in 2 days. And now Apple - sorry, we can't allow you to open a text editor, just because we implemented a crap system?

Sorry, "apologies, we will fix it" does not hold water. This whole Gatekeeper thing has only one purpose - to protect the image of Apple. Not users. Appl

Re:

[drinkypoo]

As a long-ago customer of Apple (Mac SE), the current company is not the one that I knew.

The Mac SE, like all doorstop Macs, had a design which was explicitly intended to keep the user out of the case. You need an extra special long Torx driver to get in there, known as a MacCaseCracker. Steve Jobs didn't want anyone to have expansion ports, so that they would have to buy a new machine to get more functionality. By the time Apple made the Macintosh, it was very much the company you know and dislike today. Most of the ways they dick users around today simply didn't exist back then.

editing the HOSTS file?

[retchdog]

Who could have known that APK would be right eventually?

Fortnite

[bill_mcgonigle]

Is this how they can assure that when Epic gets their cert revoked that they won't get any more DLC revenue?

Fortunately Apple has our back. Like an older brother. A big, older brother.

They have created, for the first time in all history, a garden of PURE ideology!

The saddest part is ...

[MadMaverick9]

not that apple is doing this ...

no ...

The saddest part is that despite all the abuses by government and companies - people do not change.

Developer certificates vs app certificates

[l2718]

One linked commentary claims the privacy concerns are overblown because the system phones home with a plaintext certificated unique to the developer rather than unique to the application. Now if you primarily run a few applications all created by the same developer, then this is not a big deal. But the typical user runs many applications from a large variety of developers. Yes, Eve the eavesdropeer won't be able to tell if I'm running Firefox or Thunderbird, but she will sure be able to distinguish either from Notability and Minecraft.

Re: Developer certificates vs app certificates

[ToasterMonkey]

Eve the eavesdropper can infer what application you're running from DNS queries and destination addresses. J.F.C.

This is getting so stupid and contrived now. If you run some software that otherwise generates zero recognizable network traffic, a person eavesdropping on your internet connection!!!! could use OCSP checks to see which developer cert was used, and maybe guess that you are running XYZ app. Jesus, anyone that paranoid, why are you still connected to the internet without a proxy and default deny

GET is HTTP!

[jjaa]

GET is an HTTP request, HTML is a language to describe a document... news for nerds, eh?

Whose tradeoff?

[famebait]

the potential loss of privacy from OCSP is a trade-off we make

No, it is from one that Apple makes on behalf of everyone without asking or offering an opt-out. Not the same.

The host file hack is nice (if it works), but unintended and not exactly user friendly as far as opt-outs go.

manipulation

[fluffernutter]

Mac software is so freaking expensive i never use the apple store. Open source software already seems to have a hard enough time working on a Mac and much of the time the answer is that Apple doesn't expose the calls for this or that so it's the best that can be done. I feel like this is just an attempt to influence people to use the apple store and be afraid of everything else.

App consultants

[sdmedia24]

App consultants [ego-cms.com] development for outsourcing Android development All we want is a successful mobile application. Correct? But this is not that simple because who will make your app successful? Thousands of mobile app companies will claim to be the best