{"id":31325,"date":"2021-01-14T16:50:50","date_gmt":"2021-01-14T21:50:50","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=31325"},"modified":"2021-02-05T14:34:48","modified_gmt":"2021-02-05T19:34:48","slug":"contentfilterexclusionlist-gone-in-macos-11-2-beta-2","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/01\/14\/contentfilterexclusionlist-gone-in-macos-11-2-beta-2\/","title":{"rendered":"ContentFilterExclusionList Gone in macOS 11.2 Beta 2"},"content":{"rendered":"

Patrick Wardle<\/a> (tweet<\/a>, Hacker News<\/a>):<\/p>\n

Unfortunately, Apple (without telling anybody) decided to “exclude” or exempt over 50 of its own applications (such as the App Store) and daemons from being routed thru the Network Extension Framework.<\/p>

[…]<\/p>

Due to the ContentFilterExclusionList list any traffic generated from these “excluded” items could not<\/strong> be filtered or blocked by a socket filter firewall (such as LuLu). Many (rightfully) asked, “What good is a firewall if it can’t block all traffic?” <\/em>I of course also wondered if malware could abuse these “excluded” items to generate network traffic that could surreptitiously bypass any socket filter firewall. Unfortunately the answer was yes! It was (unsurprisingly) trivial to find a way to abuse these items, and generate undetected network traffic[…]<\/p>

[…]<\/p>

Well, after lots of bad press and lots of feedback\/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed.<\/p><\/blockquote>\n\n

Norbert Heger<\/a>:<\/p>\n

Thanks Apple for listening!<\/p><\/blockquote>\n\n

sneak<\/a>:<\/p>\n

Big Sur on M1 (and possibly on Intel) maintains a persistent, hardware-serial-number linked TLS connection to Apple (for APNS, just like on iOS) at all times when you are logged in, even if you don’t use iCloud, App Store, iMessage, or FaceTime, and have all analytics turned off.<\/p>

There’s no UI to disable this.<\/p>

This means that Apple has the coarse location track log (due to GeoIP of the client IP) for every M1 serial number.<\/p>

[…]<\/p>

This change is essential for blocking such traffic, and I’m glad for it, but there is a long way to go when it comes to pressuring the pro-privacy forces inside of Apple to do more.<\/p><\/blockquote>\n\n

Previously:<\/p>\n