August 7th, 2024

Apple memory holed its broken promise for an OCSP opt-out

Apple has not fulfilled its promise to provide an opt-out for OCSP checks in macOS, raising privacy concerns. Following macOS 14 Sonoma, it removed related documentation, prompting user skepticism.

Read original article

Apple memory holed its broken promise for an OCSP opt-out

Apple has faced criticism for not fulfilling its promise to provide an opt-out option for its Online Certificate Status Protocol (OCSP) checks in macOS. Following a significant outage of the OCSP service in November 2020, Apple assured users that it would implement several privacy measures, including the ability to opt out of certain security checks. However, this opt-out feature has never been introduced. On September 26, 2023, coinciding with the release of macOS 14 Sonoma, Apple removed references to this promise from its support documentation, redirecting users to a slightly altered document that maintains most of the original content. Critics argue that this action reflects a disregard for user privacy and trust, as Apple has not delivered on its commitments. The article emphasizes that users concerned about their privacy may need to resort to third-party firewalls to prevent unwanted connections to Apple’s servers, highlighting a growing skepticism about the company's transparency regarding user data handling.

- Apple has not implemented an opt-out option for OCSP checks in macOS as promised.

- The company removed references to this promise from its support documentation after the release of macOS 14 Sonoma.

- Critics express concerns about Apple's commitment to user privacy and trust.

- Users may need to use third-party firewalls to protect their privacy from Apple's data collection practices.

Leaking URLs to the Clown

The author describes leaking URLs during Mac app testing, with a unique URL receiving requests from a random "cloud" service every three hours. This raises privacy concerns and highlights potential risks for users.

Apple's Longevity by Design

Apple focuses on product longevity with Macs and iPhones. Macs praised for durability, but concerns on upgrades and support. White paper highlights iPhone features. Repairability and service accessibility emphasized. Warranty and new iPhone features mentioned.

Intent to End OCSP Service

Let's Encrypt will discontinue OCSP in favor of CRLs to enhance privacy. This change won't affect website visitors but may impact non-browser software. Users relying on OCSP are advised to prepare for the transition.

Dear Safari, Things I Hate About You

The article critiques Safari for privacy concerns due to its Google partnership, declining speed, buggy web extensions, and restrictive iOS policies, urging improvements to regain user loyalty and trust.

macOS Sequoia makes it harder to run not notarized or signed apps

macOS Sequoia enhances security by restricting unsigned or unnotarized applications, removing the Control-click bypass option, and requiring users to adjust settings to allow such software execution.

12 comments

By @jesprenj - 6 months

Regarding OCSP, off-topic for Apple: Firefox enables OCSP by default. This means that for every TLS connection an OCSP plaintext HTTP request will be made to the certificate authority that signed the certificate of the website the browser is connecting to. This means that the certificate authority receives very well timestamped information about the exact domains you are visiting if you are using Firefox and don't disable OCSP and the website you're connecting to does not use OCSP stapling (most don't). Note that disabling OCSP will make Firefox unable to get certificate revocation information (maybe it still uses system's revocation store, I'm not sure about that, but it certainly does not use more privacy preserving CRLs).

By @katzinsky - 6 months

This kind of stuff is a major reason I completely cut all Apple stuff out of my life.

When you're network is all Linux everything actually does "just work" more so than it ever did with OSX. Everything is just an SSH away, it's really pretty amazing.

By @cyberpunk - 6 months

How does one go about creating a little snitch rule to prevent these connections?

By @hansvm - 6 months

Can you get around that nonsense by turning off wireless radios before launching apps?

By @boffinAudio - 6 months

I feel the same way about this as I do with the whole NSA clustfuck: If I had access to my own data and could do what I wanted with it, I'd be fine with it.

By @minkles - 6 months

Ok I understand the technical considerations here. But really what is the risk surface for me here as a dumb end user who uses apps from the store and a few things off homebrew and not a lot else? I mean I've got a large pile of Apple crap sitting here. Is this even remotely worrisome enough to shift it and move to something else? The CSAM thing probably was. This? I don't know.

(I could probably do everything I need to do on Linux - I just don't want to)

By @saagarjha - 6 months

It's really quite unfortunate how much of Apple software is designed around "privacy is when you trust Apple" :/

By @keleftheriou - 6 months

Shameful behavior by Apple.

By @_twor - 6 months

What are Apple up to? Very long term?

By @Spivak - 6 months

Honestly I can imagine the preference being axed when OSCP is the macOS antivirus and I'm pretty sure I know what the first thing any malicious software is gonna do if it's able to be turned off.

macOS preferences aren't magically locked away from the rest of system, regular users can change their own user preferences, and root can change system preferences. An antivirus has to still work against an attacker who has root. It's why you can't block certain apps/domains from the firewall as well.

You could put the preference in recovery mode along with disabling SIP and I think that would accomplish everyone's goals.