what the article is actually saying

… So Jeffrey Paul’s analysis isn’t quite accurate - at least for what concerns these parts (emphasis mine). /…/ macOS does actually send out some opaque information about the developer certificate of those apps, and that’s quite an important difference on a privacy perspective.

1 Like

The Jeffrey Paul article used an incorrect representation of the facts to present a one-sided, sensationalized take on OCSP, and it worked, insofar as he attracted a lot of attention.

I do not think it ultimately reflects well on him. The silver lining is that more people are probably aware of the debate over OCSP vs malware.

Here’s a current article that appears to present an informed, alternate perspective that does not disregard the privacy concerns.

8 Likes

Prior to this week, I had never read the letters OCSP as it doesn’t really fall in the domain of things I’m interested in.

I guess many people’s concern, including myself, is that for some reason (good or otherwise (which is itself a separate discussion)) your computer can stop to function as it normally does, in a way that is invisible to you.

I tend to leave most apps open all the time, so other than youtube going down (was that the same day? (!!)), I didn’t notice anything weird, BUT that would have been pretty freaky, and much more, if you use your computer for work/etc… you are pretty fucked.

So if SECURITY™ means that you may not be able to use your computer sometimes, then I’m not sure it’s worth it.

4 Likes

This specific episode of software not running because of a hobbled server should be filed under the category of “embarrassing bug”. That Apple hasn’t addressed it publicly (to my knowledge) is also a problem, although they have a longstanding practice of staying mum for several days about security-related things (e.g., exploits) before making carefully vetted statements, often in concert with remedial actions.

The privacy vs security debate rages on.

1 Like

i’m very glad to hear the situation is different than initially expected, thank you for posting the link.

however this does not lessen my distaste for closed-source for-profit corporate control of digital life, which increasingly is now just “life”— and while there aren’t perfect alternatives yet, this should not stop us from being honest about what is happening now nor stop us from imagining something better.

24 Likes

Whether it’s nefarious or not is another matter. I would lean towards what you’re saying that it falls into the unintentional “bug” category. But that doesn’t change the fact that a personal computer can be hobbled remotely, for whatever reason.

Plus, it doesn’t take too active imagination to come to the conclusion that “bugs” (like these) tend to generally favor the house.

3 Likes

Skepticism is healthy, but any discussion of remotely hobbling a computer needs to also keep the malware problem front and center.

what the article is actually saying

While I’m going to sound like an Apple apologist, I think the privacy arguments are far-fetched. Even if we took them to their extreme conclusion and Apple allowed users to disable all the controls they provide, we would cause more harm than good. There is certainly an opportunity for Apple to abuse the data they have access to (and oh boy do they have a lot of data on their users), but then again I think about the data that companies like Reddit, Facebook, Google and PornHub have on the average user and ask myself who has the most power to compromise a person’s life?

t3h, you can debate where to draw the line on privacy vs security. Perhaps you have something constructive to add? (I’m not even trying to debate that mess, but I am trying navigate it for myself.) But if you decontextualize it—which is what Jeffrey Paul did (first article), and introduce misinformation in the process—then you’re not helping anything.

You have now quoted me out of context to create the impression I am misreading a third article, when I am merely stating my conclusions based on three articles (and my experience). If what I wrote was confusing, I apologize. Don’t get too clever.

1 Like

you mean other than pointing out your attempts to diminish the value of the source material and the position of its author based on materials that do not support your arguments?

1 Like

t3h, unless I’m mistaken in interpreting the conversation - I think the point was, that you were quoting an article that is not written by Jeffrey Paul but someone else, whereas mdoudoroff was referring to the article linked by tehn in the initial post of this thread, which was written by said Jeffrey Paul. So you are talking about two different articles, both mentioned in this thread.

As far as I can understand the technical discussion based on those articles:

  • What is sent unencrypted on opening an application is not an unique application id / hash, but an unique developer ID / public part of developer certificate, which is something that “everyone” knows in any case. So Apple, and anyone capable of monitoring and logging your network traffic does in fact not see “this guy just opened Live” but “this guy just opened an application by Ableton”.
  • Jeffrey Paul’s main point is not necessarily that Apple is spying on you (although he does assume some level of malice which is debatable) – rather, as long as the information is sent unencrypted over plain HTTP, anyone can “spy on you”, or see which applications you open and when. The correction in the other article changes this to “anyone can see which developers’ applications you open and when”.

None of these points changes the fact that the original intention is (add “at least on paper” for those who are doubtful) checking that developers’ certificates are still valid on the fly, in case a signed app gets caught doing nasty things to your computer and Apple finds out & revokes the certificate, and the main technical problem could be remedied simply by using HTTPS - but does this otherwise sound roughly correct or am I misinterpreting / misreading something?

(Please try not to read any claims between the lines regarding whether any of this is a good or a bad thing - I’m simply trying to figure out whether I understood the original claim and the corrections correctly…)

7 Likes

addition to the technical discussion (and to privacy/surveillance discussion) there is also a wider question of ownership that Jeffrey Paul was referring to in the title of his piece: Your Computer Isn’t Yours. This is referring to aggressive strategy of Apple on restricting how their devices can be used, repaired, what software can be used in what circumstances. We have had similar discussion about the implementation of T2 chip in Apple computers that basically act as gatekeeper making sure that only certain parts can be used in repairing/building the devices. As we all know, this discussion went nowhere because of… you guessed it… the SECURITY argument. When we are talking about T2 or OCSP or any other crap like this, what we are talking about really is the limits of control. How much control we are giving to the manufacturer over our devices and trough this over our daily lives?

2 Likes

True, that’s the other side of the discussion, which I tried sidestepping for the sake of understanding the technical side - eg. the difference between what was claimed, what the actual mechanism is, and what the practical difference between them is. And only after that, what the privacy / control implications could be.

No matter whether you “trust” a company or not, the point does stand that some have the capability to remotely revoke a certificate on the fly and stop any signed, already installed apps from (easily) working on your computer. Some don’t. Whether that capability will ever be abused or not, whether the information about which developers’ apps you have installed and use is of importance to anyone who doesn’t need to know, and whether the capability can be used for the good of the common user (security implications), it’s still a question of principle for many people.

(Reminds me when Amazon sold certain Kindle books they realized had copyright / ownership issues, and then simply remotely deleted the books from users’ devices and returned their money - which unsurprisingly didn’t make everyone happy. One can argue that people only license the content for their use, but that doesn’t change the fact that something like that usually seems to feel like “someone took away a book I owned” rather than “someone revoked my license to content I purchased”.)

On one hand, I’m kind of undecided on the whole control issue and what’s enough / too much. On the other hand - I suppose there is a reason why I moved to a Linux system after 15 years of Apple at home, and currently trying to get rid of most of online services belonging to companies that are just a bit scary and large to my liking. It’s not all black & white in a “screw Apple, Google and evil social media companies”, but there are things that worry me about the direction these things are going to.

(Edit: I guess my point is that while I’m very interested in the subject and very worried about some things I’ve been witnessing for the past 15 years as a computer user and a software engineer / random tinkerer, I’m still kinda undecided on where to draw the line, and hence tend to err on the neutral side of things - knowing that’s a stance in itself…)

2 Likes

Apple released a statement, and it sounds like the incident is prompting some change:

7 Likes

*A new encrypted protocol for Developer ID certificate revocation checks
*Strong protections against server failure
*A new preference for users to opt out of these security protections

Sounds like they’re promising to address all the major issues raised (both the ability to eavesdrop, and the “ownership” side of things), that’s good!

11 Likes

Yes. make a small edit to your hosts file:

add the line

127.0.0.1 ocsp.apple.com

somewhere

I also now use https://objective-see.com/products/lulu.html

3 Likes

If you really hate Apple validating your software, you can always just totally disable Gateway.

I don’t recommend it for most users, but it’s an option.

I used to be super paranoid about my data and to a point I still am (I do all the classic security stuff) but once you dive into the rabbit hole of infosec you realize there’s only so much you can do to stop data leaking from your devices and honestly I don’t have the time to constantly worry about it.

3 Likes

You’re using lulu instead of lil’ snitch?

What other stuff do you add to it to block?