Most of this is a quote taken from https://lapcatsoftware.com/articles/ocsp-privacy.html
Discussed a few days ago:
Apple Reneged on OCSP Privacy - https://news.ycombinator.com/item?id=31731090 - June 2022 (7 comments)
As the one who originally publicized the fact that Apple was leaking users' app launch data like this, I was surprised that they even committed to fixing it.
I was doubly surprised when they failed to follow through; it is unlike Apple to lie.
Note also that the link to my site in the first part of TFA is to the wrong article; the OCSP issue is related to app launches ("Your Computer Isn't Yours"), not the fact that each Mx macOS update phones home a) in plaintext and b) with hardware unique identifiers (your ARM's ECID) on every single OS update (this is TSS, not OCSP). This allows passive listeners to sniff your unencrypted HTTP TSS traffic that contains your system's unique ECID, and, via client IP geolocation, infer your travel/location history unless you remember to always update over a VPN.
Different types of bad plaintext phone home APIs. Apple uses at least 2: OCSP and TSS. :)
Here is a thing. The endpoint gs.apple.com already supports HTTPS (and on port 433). In fact, a new cert was issued to that endpoint on 23rd Feb 2022 -- before the date of your article. Something was already afoot before you wrote about it. This new cert also contains a custom OID, which could be used for pinning.
It is possible, with an http proxy / pihole to upgrade all of your local network connections to https when speaking to gs.apple.com.
My guess is that a change is coming, but the pieces aren't all in place yet.
So I decided to look at the code that implements talking to gs.apple.com on my Mac. It already supports using TLS. If I am reading this correctly, there are ways it could be enabled right now. Out of respect to Apple; as they are clearly not yet ready to enable this for everyone, I am declining to say how.
> each Mx macOS update phones home a) in plaintext and b) with hardware unique identifiers (your ARM's ECID) on every single OS update
Question about this article: At what point exactly during the update process does this happen?
As a workaround, could one do softwareupdate --download from Terminal, turn off your internet connection, and then do softwareupdate --install?
No, the machine (if set to full security) needs a signed ticket from Apple specific to your hardware (ECID) to run. It's just like an iPhone/iPad in that regard. Disabling the internet means the update will fail.
Remember TinyUmbrella and backing up your SHSH blobs so that you could downgrade to previous OSes? It's that same API.
> No, the machine (if set to full security) needs a signed ticket from Apple specific to your hardware (ECID) to run.
Thanks. I see now that it's somewhat documented by Apple, except the plaintext aspect. So it seems that "Reduced Security" would be the workaround.
https://support.apple.com/guide/security/startup-disk-securi...
It's easy for the os to stack up the updates and the push everything once the network is back up.
See:
I love Apple hardware, it's top notch truly but I am eager to completely remove macOS over privacy concerns. If Apple is taking privacy seriously, and advertising that, it needs to be across the board. I don't appreciate being lied to.
Shoutout to the Asahi Linux team and Godspeed.
I still need Lightroom and Mail.app. I solicit replacements for either. Darktable and Thunderbird ain't it.
Little Snitch is still one of the most powerful apps I run. I wish I could run it on my iPhone. When the OCSP thing went down I was livid. This still pisses me off.
Itās obviously not the same but you can run Charles on IOS and look at the traffic coming off your iPhone and analyze it.
You can also turn on app privacy report in Settings->Privacy and get some info that way. Even exportable to json.
Is the only way to mitigate this to jailbreak the device, edit the /etc/hosts to remap the DNS and point it at your own OCSP caching similar to what is done for airgaps and ICS/SCADA, or could you do this through 3rd party DNS apps, or an iOS VPN profile?
This is for macOS.
Sounds like
>edit the /etc/hosts to remap the DNS and point it at your own OCSP caching similar to what is done for airgaps and ICS/SCADA
would be fairly easy fixes.
Does Apple offer āofflineā versions of their updates in DMG form?
Since High Sierra (released 2017), their documentation points to the App Store installer links instead of to DMGs [1]. Itās still possible to create a DMG installer for newer versions using createinstallmedia on the command line after downloading the installer to a Mac.
> Does Apple offer āofflineā versions of their updates in DMG form?
.app bundles, but only full updates not deltas.
When using Reduced Security instead of Full Security, online verification through TSS isn't necessary to install/update an OS.
You still need activation / authorization from apple of your device when doing a clean wipe.
It could just be that they are still working on implementing this in a future update, maybe a minor update to Ventura. I would imagine the software engineering team has its hands full every summer with more important things like readying major new versions of all of their platforms.
They said "over the the next year" in November 2020. It's now June 2022. It should have been in Monterey, which shipped October 25, 2021.
Does everything always go to plan in your workplace? No one has a crystal ball and sometimes priorities get rearranged after the fact.
Except it wasn't just a private plan: Apple made a public written statement about the timeline, in response to a disaster (the Mac "appocalypse") and the resulting public criticism. So this should have been a very high priority.
How much work could it possibly be to add one setting and a corresponding if statement?
Priority as dictated by business needs rather than raw work effort is usually what determines when things get done. At least on my team.
Security and privacy isn't a priority. Got it.
Anyone want to make Apple Butter? Please send help.
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.