Apple responds to the privacy concerns regarding OSCP

[Kung gu]

Apples clarifies the OSCP concern.

Macrumours article: https://forums.macrumors.com/thread...rounding-app-authentication-in-macos.2268634/
Source: https://support.apple.com/en-us/HT202491
scroll down till u see "privacy protections"

 

[rafark]

There’s absolutely no way Apple is not storing a log of this. After all, Apple “somehow” seems to know exactly what people want.

 

[Kung gu]

There’s absolutely no way Apple is not storing a log of this. After all, Apple “somehow” seems to know exactly what people want.

It looks they did store the IP addresses and log them but now are removing them now.

 

[Kung gu]

These are what apple is adding now:

in addition, over the the next year we will introduce several changes to our security checks:

• A new encrypted protocol for Developer ID certificate revocation checks
• Strong protections against server failure
• A new preference for users to opt out of these security protections

Good on Apple for addressing this and not staying in the dark

 

[Kung gu]

@leman I would like ur input on this.

 

[JMacHack]

Good response. I like that they address concerns and give concrete steps to what they're gonna do to improve it.

 

[Kung gu]

Apple Addresses Privacy Concerns Surrounding App Authentication in macOS

Following the release of macOS Big Sur on Thursday, Mac users began to experience issues with opening apps while connected to the internet. Apple's system status page attributed the situation to issues with its Developer ID notary service, with developer Jeff Johnson specifying that there were...

forums.macrumors.com

Macrumours now posted this on the front page

 

[bobmans]

So they’re replacing an industry standard protocol like OCSP with a fully custom encrypted alternative and all the people who complained about OCSP sending unencrypted developer ID’s will now cheer this on. With OCSP you could literally see what they were sending and it was clear you didn’t need to worry about anything, with a custom alternative you won’t know anything.

At least you’ll be able to disable it I guess, although it’s not like 0.0.0.0 ocsp.apple.com didn’t exist.

 

[leman]

@leman I would like ur input on this.

Thanks for the sentiment, although I am not sure why my input would be valuable After all, I do think that this issue has been overblown.

Anyway, on one side this was a very quick and satisfactory response by Apple that addresses the elefant in the room and outlines the path forward.

On the other hand:

- it seems they did log the IPs (why, for what purpose)?
- no short-term solution in sight, it will take “years” ( on the other hand, rushing these things is not wise)
- issue of core services bypassing the VPN and LittleSnitch being non-functional on Big Sur (which is what privacy-concerned users were complaining about) is not addressed or even mentioned


Considering all this, I’d say that Apples response is a careful “damage control” PR act crafted by lawyers that doesn’t amount to much in practical terms. But again, as I don’t share the sentiment about it being a critical privacy issues, this reaction is satisfactory in my book (although the VPN issue kind of stinks).

 

[Kung gu]

I am definitely going to opt out and am happy that the sensational news led to this outcome.

Hopefully by the time macOS 12 launches the security feature is there to opt out