Login to comment
I don’t see how this makes anything better? Sending a global unique hash of the developer certificate in the clear still allows both Apple to keep a log and anyone the power to snoop. This is fundamentally busted. Apple should send ban lists to the user. https://t.co/2gjIjHsAq8— DHH (@dhh) November 15, 2020
It’s dangerous because it encourages people to abandon Apple’s malware prevention systems, which are VITAL. The pretext is some bullshit about “not owning your computer”, i.e. not having total control over everything the computer is doing.— Yoz Grahame (@yoz) November 14, 2020
Really? WELCOME TO FUCKING SOFTWARE
If you want to understand why Apple keeps checking apps on your machine, just watch a bunch of smart technologists loudly encourage you to change your software based on valid-sounding misinformation from a complete stranger— Yoz Grahame (@yoz) November 14, 2020
An algorithm to guess with overwhelming probability which app someone is using when you observe a Mozilla cert OCSP request from a Mac:— Matthew Green (@matthew_d_green) November 15, 2020
Step 1: guess Firefox.
Step 2: there is no step 2.
The whole Apple ecosystem doesn’t really work if you don’t trust it. All the devices are connected, they would be potentially gathering incredible troves of information about health, location and interests. Apple keeps closing itself out of knowing these things all the time.— alexlindsay (@alexlindsay) November 14, 2020
I'll be more polite. The blog post that sparked this hyperbolically overstates the impact, and still appears to believe Greenwald's terrible misreporting on PRISM. And brings up an unrelated Apple decision not to support e2e in a cloud service. And brings up Akamai for no reason.— Eric Mill (@konklone) November 14, 2020
More on this. Apparently, Apple doesn’t learn which app you’re running, but they do learn who the developers are. I don’t find the difference significant in the general case. How long does Apple keep this data? I’m still getting creepy-crawlies. More transparency please. https://t.co/K4TtaKZmPf— Tim Bray (@timbray) November 15, 2020
Hey Apple users:— Jeff Johnson (@lapcatsoftware) November 12, 2020
If you're now experiencing hangs launching apps on the Mac, I figured out the problem using Little Snitch.
It's trustd connecting to https://t.co/FzIGwbGRan
Denying that connection fixes it, because OCSP is a soft failure.
(Disconnect internet also fixes.) pic.twitter.com/w9YciFltrb
"No, macOS does not send Apple a hash of your apps each time you run them. You should be aware that macOS might transmit some opaque information about the developer certificate of the apps you run. This information is sent out in clear text" https://t.co/wQzAopjCJX via @bcrypt— Jon Evans (@rezendi) November 15, 2020
"Does Apple really log every app you run? A technical look": https://t.co/adNKukx5p2— Philipp Krenn (@xeraa) November 15, 2020
good dive into what OCSP is actually (not) doing — there were some popular but misleading tweets about the topic (because story > facts)
also wikipedia on the protocol: https://t.co/zxeAyJydHh pic.twitter.com/u0sllenpPS
Some Apple apologism to start this weekend. https://t.co/G58U3quu24 - the recent #OCSP responder outage and the hysteria afterwards shows the tightrope Apple has to walk with respect to platform security.— Phil Vachon (@pvachonnyc) November 14, 2020
I haven't done this in a while. Dusting off the blog. #Apple #privacy
The huge reaction to Paul’s blog post demonstrates what happens if/when Apple gets this wrong.— Yoz Grahame (@yoz) November 14, 2020
Imagine if it was Amazon. Sure, you would disapprove, but it’d be eye-roll number six in your morning coffee doomscroll.
When it’s Apple’s screw-up, it’s everywhere.
“Safely open apps on your Mac” > “Privacy protections”— Rene Ritchie (@reneritchie) November 16, 2020
• A new encrypted protocol for Developer ID certificate revocation checks
• Strong protections against server failure
• A new preference for users to opt out of these security protectionshttps://t.co/aTeE0yXw0T pic.twitter.com/kEPWgjxMZO
Login to comment
OCSP updates: Apple stopped logging IP addresses, made the cache take longer to expire, won't associate data with individuals, and in the future, will make it opt-out and encrypted.— Michael Herf (@herf) November 16, 2020
Still, we're at the point where every launch of a program is logged.https://t.co/WHSpPXELWk
Login to comment