#ocsp

Does Apple really log every app you run ? A technical look

▻https://blog.jacopo.io/en/post/apple-ocsp

TL;DR
• No, macOS does not send Apple a hash of your apps each time you run them.
• You should be aware that macOS might transmit some opaque information about the developer certificate of the apps you run. This information is sent out in clear text on your network.
• You shouldn’t probably block ocsp.apple.com with Little Snitch or in your hosts file.

–—

it is common for OCSP to use HTTP - I’m talking about good old plaintext HTTP on port 80, none of that HTTPS rubbish. There is usually a good reason for this, that becomes especially clear when the OCSP service is used for web browsers: preventing loops. If you used HTTPS for checking a certificate with OCSP then you would need to also check the certificate for the HTTPS connection using OCSP. That would imply opening another HTTPS connection and so on.

Of course while OCSP does not mandate encryption, it does require that responses are signed by the server. This still doesn’t solve the initial concern that anyone with a traffic analyser on your network could eavesdrop every app you open and when you open it.

[...]

It is clear that the trust service on macOS doesn’t send out a hash of the apps you launch. Instead, it just sends information about some certificate - as we would certainly expect after understanding what OCSP is in the first place.

#ocsp #Gatekeeper

Apple Users Got Owned

▻https://puri.sm/posts/apple-users-got-owned

This means that Apple not only knows which applications you have installed, it knows each time you run them. While in the past this was an optional service, now it’s mandatory and starting with Big Sur, you can no longer use a tool like Little Snitch to block this service, or route it through Tor for some privacy. Apple (and anyone who can sniff this plaintext communication) can know when you launched Tor browser or other privacy tools, or how often you use competitors’ applications.

[...]

Apple’s notary services doesn’t send information about the app, but instead sends information about the developer certificate used to sign them (which makes more sense given how OSCP works). This means that they can know, for instance, that you ran an application from Mozilla, but they can’t necessarily tell whether you ran Firefox or Thunderbird. If a developer only signs a single application, of course, they could correlate the certificate with the app. The service also seems to cache an approval for a period of time so whether it sends Apple information each time you run an app depends on how frequently you launch it.

[...]

Yet like with so many Apple features, security is a marketing term when the real motivation is control. While code signing already gave Apple control over whether you could install or upgrade software, this feature grants Apple control over whether you can run applications. Apple already has used code signing on iOS to remove competitor’s applications from the App Store and also remotely disable apps in the name of security or privacy.
There’s no reason to think they won’t use the same power on macOS now that it can no longer be bypassed.

#ocsp #Gatekeeper #privacy

macOS Big Sur launch appears to cause temporary slowdown in even non-Big Sur Macs

▻https://arstechnica.com/gadgets/2020/11/macos-big-sur-launch-appears-to-cause-temporary-slowdown-in-even-non-bi

It didn’t take long for some Mac users to note that trustd—a macOS process responsible for checking with Apple’s servers to confirm that an app is notarised—was attempting to contact a host named ocsp.apple.com but failing repeatedly. This resulted in systemwide slowdowns as apps attempted to launch, among other things.

[...]

The “OCSP” part of the hostname refers to Online Certificate Status Protocol stapling, or just “certificate stapling.” Apple uses certificate stapling to help streamline the process of having millions of Apple devices checking the validity of millions and millions of certificates every day.

#ocsp #Gatekeeper #privacy #TLS

▻https://en.wikipedia.org/wiki/OCSP_stapling

The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates.[1] It allows the presenter of a certificate to bear the resource cost involved in providing Online Certificate Status Protocol (OCSP) responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA, with the aim of improving both security and performance.

Votre ordinateur n’est pas le vôtre
▻https://sneak.berlin/i18n/2020-11-12-your-computer-isnt-yours.fr

C’est ici. C’est arrivé. Vous avez remarqué ? Je parle, bien sûr, du monde que Richard Stallman a prédit en 1997. Celui dont Cory Doctorow nous a également mis en garde. Sur les versions modernes de macOS, vous ne pouvez tout simplement pas allumer votre ordinateur, lancer un éditeur de texte, un lecteur de livres électroniques, écrire ou lire sans qu’un journal de votre activité soit transmis et stocké. Il s’avère que dans la version actuelle de macOS, le système d’exploitation envoie à Apple un (...)

#Apple #cryptage #backdoor #iOS #écoutes #PRISM #surveillance

Allo Apple, on a un problème !
▻https://standblog.org/blog/post/2020/11/15/Allo-Apple-on-a-un-probleme

Je découvre avec stupéfaction qu’Apple surveille les utilisateurs de Mac. En effet, MacOS envoie silencieusement à Apple une empreinte (un identifiant) pour chaque logiciel que vous utilisez(mise à jour : c’est en fait un identifiant du développeur qui a fait le logiciel, pas le logiciel lui-même[1]). Cela fait plusieurs mois que cela dure. Il était possible de modifier ce comportement si on allait bidouiller dans le système mais visiblement, avec MacOS Big Sur (la nouvelle version qui vient de (...)

#Apple #iOS #surveillance

RFC 6960 : X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP

Le protocole #OCSP permet à un client #X.509 (par exemple un navigateur Web engagé dans une connexion HTTPS) de s’informer en temps réel sur l’état d’un certificat, notamment afin de savoir s’il est révoqué ou pas. Ce nouveau RFC remplace (avec de légers changements) l’ancienne norme OCSP.

▻http://www.bortzmeyer.org/6960.html