Many of you will remember the brouhaha stirred up by Jeffrey pull of sneak.berlin, with a post titled Your Computer Isn’t Yours. His complaint (that Apple was using the trustd process and something called OCSP* to report back {in plain text} every time we opened a program), was fed by that time in Nov. of 2020 when users were unable to open programs on their Macs, and it turned out that it was due to a server slowdown involving OCSP. Read Ars Technica’s take on the story here.
Apple even responded to the controversy, and said, in part “These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.”
So, my question is, what’s the latest on this issue? I have a client that found a PDF of Mr. Paul’s original post online, and is so upset by it that she’s decided she can’t use Macs any longer. While there are a lot of updates and FAQs on his post, it still seems to me that his post is largely the chicken-little take, but am I wrong about that?
Honestly, I’m as frustrated and disturbed by much of the way macOS has evolved in recent years as anyone, but most everything I’ve read shows that Apple is doing more than any other Big Tech company to protect our privacy and security.
Do any of you who are more knowledgeable than I about the under-the-hood workings of macOS in general, and security/privacy issues such as this in particular, have any more current info on this? I’m sure the answer is complicated, of course, but I’d like to be able to report back to my client with the most up-to-date info.
If your client is that concerned about privacy, you should inform her that switching to Windows won’t help either. It also incorporates digitally signed applications - which means there are certificates and a mechanism (involving remote servers) to check for certificate revocation.
In the Linux world, mandating signed apps is something you can optionally choose to use or not use, but can your client do all her computing on Linux? Maybe, but I suspect not.
Digitally signed apps, and all the baggage that comes with mandating them, is a fact of life these days. And for good reason. It’s a critical part of a system’s mechanism for blocking malware, by detecting when something has tampered with an app, or when fake software has been installed, or when an official software distribution server has become compromised.
If your client understand the issues (and isn’t just freaking out over an article deliberately written using inflammatory language) and is still bothered by this, there are things you can do to effectively disable application signature checking. But I would never suggest someone do it without fully understanding the implication of such a change.
Along with the OS being more secure, Apple does not sell OS data they track to third parties. MS sells data it tracks via the OS as well as online data. Just because MS might not be quite as bad as Facebook or Android does not mean they are good about privacy and security.
I honestly don’t blame her. I switched to Linux for a few months after the OCSP debacle. I lost an entire afternoon of work because my Macs were unusable, which is absolutely unacceptable. I only switched back because my Linux machine (a ThinkPad T420) is too slow for many tasks, like video editing, and I still need the Mac for some workflows (Take Control books in particular).
As Howard Oakley has pointed out, Apple has taken none of the promised actions to prevent this from happening again. Granted, it hasn’t happened again as far as I know, but my trust in the Mac is shaken. At least I know I have a servicable Linux machine on hand if needed.
Without repeating all the technical details, it summarizes what Apple is actually doing here.
Apple uses OSCP to verify the developer certificate of apps when they are launched. Not for every launch, but often enough that it can detect revoked certificates in a timely manner - which is its point.
The certificate is per-developer, not per-app. So, for example, someone intercepting the data doesn’t know if you’re running Word, Excel, Outlook or Edge, but he does know that you’re running a Microsoft app.
Nevertheless, this isn’t completely harmless, because many popular apps come from companies that only have a small number of products. For example, I don’t think Mike Bombich has any released apps other than Carbon Copy Cloner.
It probably doesn’t matter if someone can determine that you’re running a Microsoft or Adobe or Apple or Mozilla app. But it might be a concern if you’re running something specialized that is specifically meant for improving privacy, like the Tor browser.
If you’re still concerned, you can block access to Apple’s OSCP server. Apple has taken some actions to prevent software firewalls from blocking this access, but they clearly can’t stop you from setting up an external firewall on your LAN.
If you consider it necessary to block OSCP, I would suggest you take the time to learn how to set up and maintain your own LAN security (DNS servers, firewalls, etc.). Don’t take the easy way out and assume that a quick-fix (e.g. a line in your Mac’s host file) will solve the problem. Apple could easily work around things like that in the future, should they choose to do so.
If there is a specific app that you are worried about, you can use the codesign tool (part of the Xcode developer tools) to re-sign an app. Once that’s done, it will show up using your own developer certificate (or a self-signed one if you never paid Apple for a cert).
The result will be that someone snooping the OSCP requests won’t be able to identify the app’s actual publisher, but they will (in theory) be able to identify you. But the whole premise of this discussion is that you’ve already been identified - which is why you’re so concerned about someone finding out about the apps you’re running.
Other operating systems and web browsers also use OSCP. It is one of the standard ways to detect revoked certificates, whether as a part of installing/updating software or opening an HTTPS link to a web server.
One could argue that OSCP usage elsewhere is less private than Apple’s app-launch behavior, because they validate certificates that come from sources all over the Internet (and therefore send the validation request back to those sources), not just certificates issued by Apple.
It’s a lot harder to configure a firewall to block every OSCP server in the world than it is to just block Apple’s.
Ultimately, aside from the real-world problems resulting from a slow OSCP validation server (which led to the problem in 2020), I don’t think most people have a legitimate need to be concerned. For those that do have such a need (or are just more worried than I am), there are workarounds that can and should be used - but this is going to be a much bigger project than simply blocking its use by Apple’s application-launch semantics.
If you have such a need, you should consult a security professional to identify all the places where OSCP (and other similar technologies) are used on your network (including, for example, your mobile and IoT devices) so you can develop a strategy to block them all.
Thanks for the thoughtful replies everyone! As a couple of you pointed out, Linux is the only real alternative if one wants to avoid OCSP as much as possible, and that’s what she’s decided she wants to do. I’m not confident that she’s up for learning Linux, but that’s another question entirely.
I sure wish Apple would stop dragging their feet on stuff like this. It’s a discouraging trend, to say the least.