Regarding the news yesterday that apps on macOS needs to phone home

[Erehy Dobon]

So is Little Snitch not necessary?

Little Snitch is not necessary. You can block it via the /etc/hosts hack or in some environments you can block this at the router level or with a device like a Pi-Hole.

The big problem in blocking access to ocsp.apple.com is that you don't know how every single application will react.

I used the /etc/hosts method and was able to fire up macOS Mail during this snafu. However, I left the entry in /etc/hosts and then parts of App Store wouldn't connect.

So I reluctantly removed the /etc/hosts entry yesterday. By then Apple had fixed the underlying OCSP issue.

I consider this a massive F-A-I-L for Apple. I wasn't attempting to download Big Sur, I just wanted to read e-mail on my Mac. When it first failed, I fired up my Windows PC which had no problem connecting to various e-mail accounts. In fact, I read about the /etc/hosts workaround while surfing this site on my Windows PC.

Ultimately, there's really no recourse. Apple's enforcement of OCSP validation has revealed a single point of failure as we saw on Thursday. That's bad design.

Even worse, it invites hackers to DDoS attack ocsp.apple.com because now they know interrupting data packets to that domain will cripple millions of Apple devices. In just a few days, every script kiddie on the planet knows they can inconvenience millions of Mac users by taking out ocsp.apple.com because Apple showed them it was possible.

My guess is that Apple will do nothing. They will make no apology for Thursday clusterf*** and they will keep things status quo.

Steve would have been completely pissed at Thursday's snafu and would have personally apologized (he did this) but Steve has been dead 9+ years. The current Apple management team doesn't have any interest in apologizing for these sort of missteps.

 

[Polly Mercocet]

i have successfuly implemeneted this advise

Whose computer is it?

tinyapps.org

and right now Little Snitch see everything and i can block it as usual. As for VPN it still is a problem

I read this method but don't like it since it involves disabling two security features. To install a signed kext (Little Snitch 4.6) you don't need to actually disable any system security, there is a (hidden) feature in Big Sur to manually approve a specific kext from recovery mode. No need to turn off SIP or SSV, they'll play nice because you're enabling the kext within Apple's walled garden essentially.

The big question is how long will this feature stick around for since Apple now regards kexts as a legacy feature. I'm hoping they at the very least provide some sort of command to let users disable the idiotic network filter whitelist in a future update. If not, I guess I won't update past Big Sur if they remove kext support entirely.

 

[steve62388]

My VPN provider is Mullvad. I dropped them an email asking about OCSP leakage. They have just made a blog post saying their own app does not leak. So if they’re accurate then it depends whether your provider uses APIs or the macOS packet filter.

Big no on Big Sur: Mullvad disallows Apple apps to bypass firewall

Despite Apple’s changes to macOS with the release of Big Sur, we can confirm that the Mullvad app still performs as intended by not allowing Apple’s own apps to bypass our VPN firewall.

mullvad.net

 

[Polly Mercocet]

My VPN provider is Mullvad. I dropped them an email asking about OCSP leakage. They have just made a blog post saying their own app does not leak. So if they’re accurate then it depends whether your provider uses APIs or the macOS packet filter.

Big no on Big Sur: Mullvad disallows Apple apps to bypass firewall

Despite Apple’s changes to macOS with the release of Big Sur, we can confirm that the Mullvad app still performs as intended by not allowing Apple’s own apps to bypass our VPN firewall.

mullvad.net

Excellent news! Glad that for VPN apps it's as easy as just choosing not to use the API and using the packet firewall instead. Seems from that post that there's no restrictions in place to stop this so I assume all VPN apps will continue to use this approach as they'd have to actively choose to move over to the new API.

I will contact my own VPN provider and see what they have to say but I highly suspect they will do the same.

 

[gilby101]

My VPN provider is Mullvad. I dropped them an email asking about OCSP leakage. They have just made a blog post saying their own app does not leak.

VPNs can be implemented via three distinct Network Extensions Network Extensions. I am guessing that those using the App Proxy Provider are being bypassed.
My provider (PIA)also does not leak OCSP - I checked with Wireshark and all OCSP was going via the VPN tunnel.

 

[Polly Mercocet]

Just got confirmation from IVPN that they too use PF and therefore bypass the traffic leak in Big Sur.

This can also be confirmed via GitHub where all their clients are open sourced:

desktop-app-daemon/vpn/wireguard/wireguard_darwin.go at master · ivpn/desktop-app-daemon

Official IVPN Desktop app (service). Contribute to ivpn/desktop-app-daemon development by creating an account on GitHub.

github.com

You can see in the code exactly how they manage WireGuard connections (WG is great) and they set their own firewall rules directly, no API.

Since PIA and Mullvad are also use PF I think it's safe to assume any decent VPN service will continue to do the same for their clients.

Big sigh of relief over here!

So now all I have to do is run a command in recovery to allow Little Snitch 4.6 to install its kext then install the IVPN client as normal and both the problems I'm concerned about are gone.

I am going to have to keep an eye on this in the long-term though. Apple is bound to revoke support for kexts entirely in a future macOS release.

As for VPNs though there is not much they can do regarding the PF integrations. Short of completely reinventing the entire firewall implementation I don't see how they'd force VPNs to use the API instead. They can't really make the firewall config part of the read only filesystem protected by SIP because by nature the firewall config needs to be, well, configurable in order to actually be of any use within the OS.

But the moves they're making are clearly aimed at slowly locking down macOS more and more... it is a concern to me. I and many others have loved macOS/OS X because it's a very user friendly, well implemented UNIX system that allows power users to do their thing if they wish. Just install Brew and you've got the benefits of Linux on a well supported and easy to maintain UNIX OS. If they start turning it into iOS for laptops they take away what makes it a great UNIX system for power users.

Already I'm having to use outdated software and enable an obscure hidden function in recovery mode just to get a unencumbered firewall to run.

 

[Polly Mercocet]

Actually, thinking a bit on this... what's to stop Little Snitch also using the PF firewall to capture all traffic? Shouldn't be difficult in theory no? They could show data gathered by both Apple's new API and the PF firewall, and configure the PF firewall component to capture traffic from services on the whitelist. I imagine it'd be a little tricky to implement since the PF firewall isn't application based by definition but it could be done by keeping a regularly updated list of domains those services communicate with. Or perhaps create some logic to look at what traffic is captured by both then remove traffic already gathered by the API before combining both streams, this seems like it'd be a more reliable approach and require less maintenance.

I'm no developer, just thinking logically about how the system functions. I am guessing this (or something similar) is the "alternate method" they're already looking into. Hopefully it all works out then Little Snitch can continue to be fully functional without a kext in the future.

 

[patearrings]

I am on big sur final release, and still using little snitch 4. I have been able to block ocsp.apple.com from LS and when i ping it from terminal, the host is down, so i assume it's blocked. Is this not what you guys are experiencing?

 

[Polly Mercocet]

I am on big sur final release, and stil using little snitch 4. I have been able to block ocsp.apple.com from LS and when i ping it from terminal, the host is down, so i assume it's blocked. Is this not what you guys are experiencing?

If you are still running LS 4 you are all good since it uses a kext not the new API. The problem only comes when you upgrade to LS 5 which uses the network API not a kext. Apple is trying to stop use of kexts so expect LS 4 to stop being supported eventually.

My advice: stick to LS 4 for as long as you can until LS finds a workaround for 5, at least that's my plan. I think they will use the PF firewall to capture all traffic like the VPN clients already do.

P.S. Off-topic but didn't expect to see another Casisdead fan on here!

 

[patearrings]

If you are still running LS 4 you are all good since it uses a kext not the new API. The problem only comes when you upgrade to LS 5 which uses the network API not a kext. Apple is trying to stop use of kexts so expect LS 4 to stop being supported eventually.

My advice: stick to LS 4 for as long as you can until LS finds a workaround for 5, at least that's my plan. I think they will use the PF firewall to capture all traffic like the VPN clients already do.

P.S. Off-topic but didn't expect to see another Casisdead fan on here!

Thanks for a comprehensive reply. I didn't know about this leak at all and nearly bought LS 5. Yep, Pat Earrings is a TOP tune!

 

[blindpcguy]

i read somewhere that apple was going to add a prefrence pane to turn this off and start encrypting the ocsp stuff as well as go back and remove all ip addresses from the server cant remeber where i saw it but i know i saw it . will re find the article and post shortly

 

[ironhide1975]

Okay so this explains soooo much.
Recently with using NordVPN I was having major problems with my applications just hanging on exit. I would be running along just fine for a while and suddenly everything would freeze and I would not be able to close any application. If I switch to a new server on the VPN or turn off the Internet, suddenly everything would be fine. I was going back and forth with Nord about this several times getting multiple responses in attempting to resolve the issue from multiple people probably overseas. The only resolution to this was to download the Nord VPNIke version that was available from the Apple store but does not contain as many features.

When I upgraded to the regular NORD version I was having major problems with the whole application freezing. When I would go to the Preference Panel in MacOS Big Sur there would be no network connections available. It would be as if the whole Networking Part of the Operating System just disappeared.

If Apple is tracking when applications load and when they close then this is highly disgusting. I already am dissapointed by there numerous social justice warrior ********, but now if they're tracking me, then it's time to go to Linux.

 

[DimaVR]

Okay so this explains soooo much.
Recently with using NordVPN I was having major problems with my applications just hanging on exit. I would be running along just fine for a while and suddenly everything would freeze and I would not be able to close any application. If I switch to a new server on the VPN or turn off the Internet, suddenly everything would be fine. I was going back and forth with Nord about this several times getting multiple responses in attempting to resolve the issue from multiple people probably overseas. The only resolution to this was to download the Nord VPNIke version that was available from the Apple store but does not contain as many features.

When I upgraded to the regular NORD version I was having major problems with the whole application freezing. When I would go to the Preference Panel in MacOS Big Sur there would be no network connections available. It would be as if the whole Networking Part of the Operating System just disappeared.

If Apple is tracking when applications load and when they close then this is highly disgusting. I already am dissapointed by there numerous social justice warrior ********, but now if they're tracking me, then it's time to go to Linux.

You over thinking this , I’m using avg vpn on all my iOS devices and works fine. It’s just issues with von software you are way over thinking this

 

[ironhide1975]

You over thinking this , I’m using avg vpn on all my iOS devices and works fine. It’s just issues with von software you are way over thinking this

I don't think I am. Why are my applications reporting back home on exit? This shouldn't be something that I need to do on my computer. If my applications are hanging on exit and when I change the server or disconnect from the Internet the work, then Apple is tracking opening and closing of apps which is a complete invasion of privacy.

 

[Apple_Robert]

Okay so this explains soooo much.
Recently with using NordVPN I was having major problems with my applications just hanging on exit. I would be running along just fine for a while and suddenly everything would freeze and I would not be able to close any application. If I switch to a new server on the VPN or turn off the Internet, suddenly everything would be fine. I was going back and forth with Nord about this several times getting multiple responses in attempting to resolve the issue from multiple people probably overseas. The only resolution to this was to download the Nord VPNIke version that was available from the Apple store but does not contain as many features.

When I upgraded to the regular NORD version I was having major problems with the whole application freezing. When I would go to the Preference Panel in MacOS Big Sur there would be no network connections available. It would be as if the whole Networking Part of the Operating System just disappeared.

If Apple is tracking when applications load and when they close then this is highly disgusting. I already am dissapointed by there numerous social justice warrior ********, but now if they're tracking me, then it's time to go to Linux.

Apple isn't tracking you. All that is happening is Apple is making sure the app certificates are valid when launched, which they have a right to do. It isn't about tracking everything you do.

I am running a M1 with SurfShark with no problems with my any of my apps freezing etc. I think something may be wrong with your setup.

 

[ironhide1975]

Apple isn't tracking you. All that is happening is Apple is making sure the app certificates are valid when launched, which they have a right to do. It isn't about tracking everything you do.

I am running a M1 with SurfShark with no problems with my any of my apps freezing etc. I think something may be wrong with your setup.

I don't need them to do that. I'm adult and I can be responsible for what I put on my computer. If something I download loads a virus, thats my own fault. Apple doesn't need to, nor should be tracking this.

 

[Apple_Robert]

I don't need them to do that. I'm adult and I can be responsible for what I put on my computer. If something I download loads a virus, thats my own fault. Apple doesn't need to, nor should be tracking this.

If the app is from their store, they have a right to make sure that the app is following App Store rules and is not a fake Malware app. I said nothing about protecting you. Apple has a right to guard their house, just like you have the right to guard your home against attack.

This story has been updated and there is more up to date news on Apple's actions on this matter you should read.

 

[ironhide1975]

If the app is from their store, they have a right to make sure that the app is following App Store rules and is not a fake Malware app. I said nothing about protecting you. Apple has a right to guard their house, just like you have the right to guard your home against attack.

This story has been updated and there is more up to date news on Apple's actions on this matter you should read.

My computer is not their house. My computer is mine.
And I try not to download from the Appstore. Worst idea ever! Real software comes on a Floppy Disk or DVD!

 

[Apple_Robert]

My computer is not their house. My computer is mine.
And I try not to download from the Appstore. Worst idea ever! Real software comes on a Floppy Disk or DVD!

Real software only comes on a DVD or floppy disk? Are you for real? Software used to come that way back in the 80s - probably until 200's.

If you don't want to use apps from the app store and don't trust Apple, you should sell your Apple products and move to Linux, where any software you need for linux doesn't come from DVD or floppy.

I am done with this particular conversation.

 

[ironhide1975]

Real software only comes on a DVD or floppy disk? Are you for real? Software used to come that way back in the 80s - probably until 200's.

If you don't want to use apps from the app store and don't trust Apple, you should sell your Apple products and move to Linux, where any software you need for linux doesn't come from DVD or floppy.

I am done with this particular conversation.

Once get my tax refund I'm buying a machine and putting Ubuntu on it. Also switching to a GrapheneOS phone. Done with Apple. That ******* Tim Cook has betrayed everything Steve Jobs stood for and sold Apple to China. MacOS Big Sur is the warning Professor Kaczynski warned us about.

​