Hacker News
3 years ago by dang

Discussed a few days ago:

Apple Reneged on OCSP Privacy - https://news.ycombinator.com/item?id=31731090 - June 2022 (7 comments)

3 years ago by sneak

As the one who originally publicized the fact that Apple was leaking users' app launch data like this, I was surprised that they even committed to fixing it.

I was doubly surprised when they failed to follow through; it is unlike Apple to lie.

Note also that the link to my site in the first part of TFA is to the wrong article; the OCSP issue is related to app launches ("Your Computer Isn't Yours"), not the fact that each Mx macOS update phones home a) in plaintext and b) with hardware unique identifiers (your ARM's ECID) on every single OS update (this is TSS, not OCSP). This allows passive listeners to sniff your unencrypted HTTP TSS traffic that contains your system's unique ECID, and, via client IP geolocation, infer your travel/location history unless you remember to always update over a VPN.

Different types of bad plaintext phone home APIs. Apple uses at least 2: OCSP and TSS. :)

3 years ago by VogonPoetry

Here is a thing. The endpoint gs.apple.com already supports HTTPS (and on port 433). In fact, a new cert was issued to that endpoint on 23rd Feb 2022 -- before the date of your article. Something was already afoot before you wrote about it. This new cert also contains a custom OID, which could be used for pinning.

It is possible, with an http proxy / pihole to upgrade all of your local network connections to https when speaking to gs.apple.com.

My guess is that a change is coming, but the pieces aren't all in place yet.

3 years ago by VogonPoetry

So I decided to look at the code that implements talking to gs.apple.com on my Mac. It already supports using TLS. If I am reading this correctly, there are ways it could be enabled right now. Out of respect to Apple; as they are clearly not yet ready to enable this for everyone, I am declining to say how.

3 years ago by lapcat

> each Mx macOS update phones home a) in plaintext and b) with hardware unique identifiers (your ARM's ECID) on every single OS update

Question about this article: At what point exactly during the update process does this happen?

As a workaround, could one do softwareupdate --download from Terminal, turn off your internet connection, and then do softwareupdate --install?

3 years ago by sneak

No, the machine (if set to full security) needs a signed ticket from Apple specific to your hardware (ECID) to run. It's just like an iPhone/iPad in that regard. Disabling the internet means the update will fail.

Remember TinyUmbrella and backing up your SHSH blobs so that you could downgrade to previous OSes? It's that same API.

https://www.theiphonewiki.com/wiki/Tatsu_Signing_Server

3 years ago by lapcat

> No, the machine (if set to full security) needs a signed ticket from Apple specific to your hardware (ECID) to run.

Thanks. I see now that it's somewhat documented by Apple, except the plaintext aspect. So it seems that "Reduced Security" would be the workaround.

https://support.apple.com/guide/security/startup-disk-securi...

3 years ago by callmeal

It's easy for the os to stack up the updates and the push everything once the network is back up.

See:

https://sneak.berlin/20210202/macos-11.2-network-privacy/

3 years ago by throwntoday

I love Apple hardware, it's top notch truly but I am eager to completely remove macOS over privacy concerns. If Apple is taking privacy seriously, and advertising that, it needs to be across the board. I don't appreciate being lied to.

Shoutout to the Asahi Linux team and Godspeed.

3 years ago by sneak

I still need Lightroom and Mail.app. I solicit replacements for either. Darktable and Thunderbird ain't it.

3 years ago by post_break

Little Snitch is still one of the most powerful apps I run. I wish I could run it on my iPhone. When the OCSP thing went down I was livid. This still pisses me off.

3 years ago by jsizzle

Itā€™s obviously not the same but you can run Charles on IOS and look at the traffic coming off your iPhone and analyze it.

3 years ago by weikju

You can also turn on app privacy report in Settings->Privacy and get some info that way. Even exportable to json.

3 years ago by OrvalWintermute

Is the only way to mitigate this to jailbreak the device, edit the /etc/hosts to remap the DNS and point it at your own OCSP caching similar to what is done for airgaps and ICS/SCADA, or could you do this through 3rd party DNS apps, or an iOS VPN profile?

3 years ago by saagarjha

This is for macOS.

3 years ago by OrvalWintermute

Sounds like

>edit the /etc/hosts to remap the DNS and point it at your own OCSP caching similar to what is done for airgaps and ICS/SCADA

would be fairly easy fixes.

3 years ago by wfhordie

Does Apple offer ā€œofflineā€ versions of their updates in DMG form?

3 years ago by samtheprogram

Since High Sierra (released 2017), their documentation points to the App Store installer links instead of to DMGs [1]. Itā€™s still possible to create a DMG installer for newer versions using createinstallmedia on the command line after downloading the installer to a Mac.

[1]: https://support.apple.com/en-us/HT211683

3 years ago by my123

> Does Apple offer ā€œofflineā€ versions of their updates in DMG form?

.app bundles, but only full updates not deltas.

When using Reduced Security instead of Full Security, online verification through TSS isn't necessary to install/update an OS.

3 years ago by undefined
[deleted]
3 years ago by novok

You still need activation / authorization from apple of your device when doing a clean wipe.

3 years ago by stalfosknight

It could just be that they are still working on implementing this in a future update, maybe a minor update to Ventura. I would imagine the software engineering team has its hands full every summer with more important things like readying major new versions of all of their platforms.

3 years ago by lapcat

They said "over the the next year" in November 2020. It's now June 2022. It should have been in Monterey, which shipped October 25, 2021.

3 years ago by stalfosknight

Does everything always go to plan in your workplace? No one has a crystal ball and sometimes priorities get rearranged after the fact.

3 years ago by lapcat

Except it wasn't just a private plan: Apple made a public written statement about the timeline, in response to a disaster (the Mac "appocalypse") and the resulting public criticism. So this should have been a very high priority.

3 years ago by grishka

How much work could it possibly be to add one setting and a corresponding if statement?

3 years ago by stalfosknight

Priority as dictated by business needs rather than raw work effort is usually what determines when things get done. At least on my team.

3 years ago by fartcannon

Security and privacy isn't a priority. Got it.

3 years ago by nixpulvis

Anyone want to make Apple Butter? Please send help.

Daily Digest

Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.