macOS Big Sur Potential Security Issues Revealed

[SpiritSoul1008]

Did you guys read this article over at 9to5Mac? (Link)
Here is the original article by the researcher (Link)

I am pretty concerned with the changes that have been made in Big Sur, which could potentially allow any bad actors to spy on our location and app usage. According to this researcher, with these changes to the OS, we cannot even secure our computers with a VPN or Little Snitch. Is Apple lying to us about how security and privacy are priorities for them? What are your thoughts?

 

[Jonas07]

It means the privacy apple talk about all the time is just propaganda to sell more products.

 

[tommiy]

Yes thats really not good at all. I knew i stopped upgrading for a reason. I think at some point Apple believed in their position of security but thats obviously gone now.

 

[SpiritSoul1008]

Apple joined Prism in 2012.

The other companies: Microsoft (2007), Yahoo (2008), Google (2009), Facebook (2009), PalTalk (2009), YouTube (2010), Skype (2011), AOL (2011), Apple (2012)

Maybe after Steve Jobs died, Apple sold their soul.

 

[nt5672]

Does anyone know what rules to use in an external firewall to block this?

 

[Heat_Fan89]

It means the privacy apple talk about all the time is just propaganda to sell more products.

I don’t see it as propaganda. It’s more like marketing spiel. If you look at an iPad advertising/privacy settings. It clearly shows Apple is spying on you by informing you that it will show you ads based on your browsing habits aka “Personalized Ads”. You can turn it off but the ads will now be generic and they will push the same amount of ads.

Gee, that sounds an awful lot like Windows 10. As a previous poster in this thread mentioned, if you are on the internet, “you are being watched and data is being collected”. Linux is going in that direction many of its Distro’s. Canonical sold out to Amazon on Ubuntu. Everyone is doing it in one form or another.

Brave browser was pimping its privacy browser as they sold themselves like Apple does “what’s on your computer stays on your computer”. Well they got caught as well doing some shady stuff.

Brave Browser's Affiliate Link Controversy, Explained

Privacy browser Brave was called out this weekend when users noticed that typing "Binance" resulted in an auto-complete ending in a referral link.

www.coindesk.com

 

[SpiritSoul1008]

I don’t see it as propaganda. It’s more like marketing spiel. If you look at an iPad advertising/privacy settings. It clearly shows Apple is spying on you by informing you that it will show you ads based on your browsing habits aka “Personalized Ads”. You can turn it off but the ads will now be generic and they will push the same amount of ads.

Gee, that sounds an awful lot like Windows 10. As a previous poster in this thread mentioned, if you are on the internet, “you are being watched and data is being collected”. Linux is going in that direction many of its Distro’s. Canonical sold out to Amazon on Ubuntu. Everyone is doing it in one form or another.

Brave browser was pimping its privacy browser as they sold themselves like Apple does “what’s on your computer stays on your computer”. Well they got caught as well doing some shady stuff.

Brave Browser's Affiliate Link Controversy, Explained

Privacy browser Brave was called out this weekend when users noticed that typing "Binance" resulted in an auto-complete ending in a referral link.

www.coindesk.com

No matter what word you would like to use or direction the industry is going, it doesn't make me a happy customer.

 

[katbel]

Did you guys read this article over at 9to5Mac? (Link)
Here is the original article by the researcher (Link)

I am pretty concerned with the changes that have been made in Big Sur, which could potentially allow any bad actors to spy on our location and app usage. According to this researcher, with these changes to the OS, we cannot even secure our computers with a VPN or Little Snitch. Is Apple lying to us about how security and privacy are priorities for them? What are your thoughts?

I thought about maybe upgrading to Big Sur (didn't even upgraded to Catalina) but after what happened two days ago I will not upgrade anything. I was attracted by their proprietary chip , now I'm afraid of loosing all my privacy.
Lost trust in Apple , already it was already eroded but not in the "privacy" yet.
I read the article already, thanks
I'm so fed up with Apple. It hurts : I've been an Apple user for so long, 20 years and counting.
Here I'm trying to defend MY COMPUTER, maybe it's time to use it off line all the time, just for the sake of it
I'm nobody, but I'm annoyed if someone knows what color of socks I'm wearing in the morning
It really sucks ?

 

[IowaLynn]

That ad from Apple, "1984"? Didn't expect they would be the ones making it "possible" to help.

 

[EDS66]

Does anyone know what rules to use in an external firewall to block this?

The exact type of rule would depend on your firewall. But basically you would need to set up an outbound rule (Lan to WAN) that would deny traffic to OCSP.APPLE.COM. I have it deployed on my SonicWall, and it works great. You can test the rule by pinging OCSP.APPLE.COM from any computer on the Local Area Network. If the rule works, the pings will be squelched; if the rule is not set up correctly, the pings will be answered.

 

[katbel]

The exact type of rule would depend on your firewall. But basically you would need to set up an outbound rule (Lan to WAN) that would deny traffic to ACSP.APPLE.COM. I have it deployed on my SonicWall, and it works great. You can test the rule by pinging ACSP.APPLE.COM from any computer on the Local Area Network. If the rule works, the pings will be squelched; if the rule is not set up correctly, the pings will be answered.

What ACSP does cover? I thought it was OCSP.apple.com

 

[EDS66]

Sorry, typo: OCSP.APPLE.COM
Here is an example of the rule using SonicWall OS.

 

[ArPe]

Apple joined Prism in 2012.

The other companies: Microsoft (2007), Yahoo (2008), Google (2009), Facebook (2009), PalTalk (2009), YouTube (2010), Skype (2011), AOL (2011), Apple (2012)

Maybe after Steve Jobs died, Apple sold their soul.

Prism was designed to track terrorism related activity during the war on terror. It was never fully implemented and there was no requirement for companies to join or stay. It existed mostly as a concept in a PowerPoint document leaked by Snowden.

Apple has gone on record as saying they are not part of it. They wouldn’t even help the FBI crack a terrorist’s phone, yet these stupid conspiracy theories remain.

 

[leman]

There is no security issue there. It’s industry standard certificate validation. All operating systems do it. Usually it’s used to check web certificates, but Apple also uses it to verify the signed applications. Microsoft uses the same thing for their signed apps.

The claims made in the article are overblown and outlandish. They claim that Apple would log every time you start any app, which is not true (results are cached and Apple servers are only consulted once in a while). There is no personal data transmitted that we know of. They further claim that this data can be spied on to collect your app usage habits, since it’s not encrypted. But they completely ignore the fact that OCSP requests are never encrypted, and that there are many more sources of unencrypted traffic that would reveal your web browsing habits (like DNS requests) - which have been used in the entire computing industry since the beginning of internet.

 

[EDS66]

There is no security issue there. It’s industry standard certificate validation. All operating systems do it. Usually it’s used to check web certificates, but Apple also uses it to verify the signed applications. Microsoft uses the same thing for their signed apps.

The claims made in the article are overblown and outlandish. They claim that Apple would log every time you start any app, which is not true (results are cached and Apple servers are only consulted once in a while). There is no personal data transmitted that we know of. They further claim that this data can be spied on to collect your app usage habits, since it’s not encrypted. But they completely ignore the fact that OCSP requests are never encrypted, and that there are many more sources of unencrypted traffic that would reveal your web browsing habits (like DNS requests) - which have been used in the entire computing industry since the beginning of internet.

I partially agree. But they should be encrypting outbound traffic to ocsp.apple.com. The other problem is whenever an ISP has an issue with intermittent connectivity (Comcast is known for that), Macs slow down to a crawl, as there is no hard connection failure when applications try to contact OCSP.APPLE.com. This happens quite often. Apple needs to address this, maybe have it time out quicker or something. It's infuriating when it happens.

 

[planteater]

This is being blown out of proportion. Apple is doing this to validate applications. That is a good thing from a security perspective.

You can be guaranteed that Apple is working on a fix so that it will not cause slowdown issues in the future.

Was Your Mac Slow on Thursday? Apple's OCSP Server Was Likely the Cause

Was your Mac slow to launch apps or even restart on Thursday? Apple's OCSP Server was the likely cause, possibly due to Big Sur overload.

www.macobserver.com

Online Certificate Status Protocol - Wikipedia

en.wikipedia.org

 

[dukebound85]

Very alarming and dissapointing

 

[leman]

I partially agree. But they should be encrypting outbound traffic to ocsp.apple.com.

If it is technically feasible and would actually help (I mean, wouldn't encrypting a known certificate hash with a known key just yield a different known hash?), sure, why not. I just don't see what the big fuss is. This is not sensitive data.

P.S. Found this https://stackoverflow.com/questions/13336695/ocsp-over-ssl-tls

The other problem is, unless Apple do something about fixing this, whenever an ISP has an issue with intermittent connectivity (Comcast is known for that), Macs slow down to a crawl, as there is no hard connection failure when applications try to contact OCSP.APPLE.com.

I think this is something we can all agree upon.

 

[nt5672]

The exact type of rule would depend on your firewall. But basically you would need to set up an outbound rule (Lan to WAN) that would deny traffic to OCSP.APPLE.COM. I have it deployed on my SonicWall, and it works great. You can test the rule by pinging OCSP.APPLE.COM from any computer on the Local Area Network. If the rule works, the pings will be squelched; if the rule is not set up correctly, the pings will be answered.

Thanks.

 

[hg.wells]

Have a look at this article

Does Apple really log every app you run? A technical look – Jacopo Jannone - blog

blog.jacopo.io

Gatekeeper checks apps on first launch to verify they are legit, a new OS install will trigger this when apps launch for the first time. This is not done at every app launch like the original article suggested.

I have no issue with this behavior and its how Apple positioned Gatekeeper.

 

[leman]

Have a look at this article

Does Apple really log every app you run? A technical look – Jacopo Jannone - blog

blog.jacopo.io

Gatekeeper checks apps on first launch to verify they are legit, a new OS install will trigger this when launch apps launch for the first time. This is not done at every app launch like the original article suggested.

I have no issue with this behavior and its how Apple positioned Gatekeeper.

I am happy to know that there are voices of reason out there. Thank you.

 

[haralds]

Eclectic Light Company has a related column: Making essential services fail-safe

 

[Collywobbles]

Does anyone know what rules to use in an external firewall to block this?

you can't, it has some internal exceptions that prevent it. you will need to block externally, PI_hole to block all calls. External VPN to obfuscate your location. the communication is unencrypted, is hashed but contains location, app details, time and date information, possibly a couple of other things (can't remember). the whole policy around 'data privacy' and Apple has to be debated, personally I feel very let down by the whole process. their processes simply aren't up to scratch. software testing, design, stuff simply 'just doesn't work' anymore. the hardware teams are great, silicon superb.. the software teams are $hite... adding a fresh layer of varnish simply isn't good enough, all the cracks are still showing.

 

[leman]

you can't, it has some internal exceptions that prevent it. you will need to block externally, PI_hole to block all calls. External VPN to obfuscate your location. the communication is unencrypted, is hashed but contains location, app details, time and date information, possibly a couple of other things (can't remember). the whole policy around 'data privacy' and Apple has to be debated, personally I feel very let down by the whole process. their processes simply aren't up to scratch. software testing, design, stuff simply 'just doesn't work' anymore. the hardware teams are great, silicon superb.. the software teams are $hite... adding a fresh layer of varnish simply isn't good enough, all the cracks are still showing.

They are using an industry standard protocol. The same information is being sent out - unencrypted- every time you access any https website, on any OS and any major browser. Even more, every time you resolve an URL - that is also unencrypted.

 

[Collywobbles]

They are using an industry standard protocol. The same information is being sent out - unencrypted- every time you access any https website, on any OS and any major browser. Even more, every time you resolve an URL - that is also unencrypted.

and the communication bypasses any tunnelling protocols you have in place and gives away your exact location, IP address and product you are running + plus other information. a browser honours any transport layers in operation.