Monday, March 14, 2022

Still No Preference to Opt Out of OCSP

Howard Oakley:

Although Apple has made a big thing of protecting privacy, macOS has one hole which Apple acknowledged over a year ago, promised to fix, and hasn’t fulfilled its promises. Every time you open an app, macOS checks the validity of its developer’s signing certificate. If that certificate hasn’t been checked recently with Apple, your Mac connects to Apple’s servers and checks it with them, an action which could reveal information to an eavesdropper.


Above all else, Apple now needs to explain properly to users, particularly those in Ukraine and other nations which are dangerous places to use a Mac, exactly how it protects code signature checks from eavesdropping. Which versions of macOS provide checks using robust protection? What is that protection?

Howard Oakley:

For those who don’t or can’t risk the OCSP exchange and transmission of new hashes, there are solutions which should mitigate against that. For instance, provided that an app has already been run and its cdhashes entered into the local security database, no repeated copies of those hashes should be sent to iCloud. Blocking outgoing connections to and is readily performed using a software firewall such as Little Snitch or LuLu.


Update (2022-03-16): See also: Hacker News.

Comments RSS · Twitter

Leave a Comment