Article points out numerous security and privacy issues but seeks to diminish them using highly dubious reasoning. Headline is inappropriate.
Yes it very much is an issue and Apple should know better.
As usual you provide your obtuse anti-Apple BS right on queue, and are usually first to comment, I think you must be getting paid to provide first-in-line negative responses to pour your special brand of gasoline on a non-existent Apple fire, good god...
I'm [...] only sometimes anti-Apple
Bwahahahahaha, that's a good one.
My last 10 posts (not including those in this thread):
Lulling us all into a false sense of security and then... You pounce!!!
Yeah, I'm a real apex predator, stalking the AppleInsider forums for forumite prey, making hundreds of benign posts to blend in with the crowd. And then, when they least expect it, I post about a gripe with Apple and then I've got them, another forumite fooled!
I guess then I eat them or something? I'm not really sure what the end game to this deception is supposed to be. That's the point where all this "paid shill" nonsense that Apple fanboys throw around falls apart; it just doesn't make any sense.
Every time you open a web page your IP address is exposed. Is it possible that someone could infer where your requests are coming from based on your IP address? Sure, just like anyone has been able to do since the creation of the internet more than 30 years ago.The certificate serial number has no personally identifiable information related to YOU. It only identifies the bundle of code that is associated with the certificate, for example, a conspiracy storyboarding application.
If you believe that any of this is a huge privacy risk, put your computer behind a VPN or disconnect it from the internet. Problem solved.
This methodology works quite well for normal browsing and provides a great deal of anonymity.
Has it really been only 30 years since Al Gore created the internet? How time flies! I could swear it was 40 years ago when I worked at ANL.
Or wait for Apple to fix it so the IP address is no longer part of the app notarization. Apple already acknowledged it as a valid concern and is planning to remove it sometime in the next few months.
Every time you open a web page your IP address is exposed. Is it possible that someone could infer where your requests are coming from based on your IP address? Sure, just like anyone has been able to do since the creation of the internet more than 30 years ago.The certificate serial number has no personally identifiable information related to YOU. It only identifies the bundle of code that is associated with the certificate, for example, a conspiracy storyboarding application.
If you believe that any of this is a huge privacy risk, put your computer behind a VPN or disconnect it from the internet. Problem solved.
This methodology works quite well for normal browsing and provides a great deal of anonymity.
Has it really been only 30 years since Al Gore created the internet? How time flies! I could swear it was 40 years ago when I worked at ANL.
Or wait for Apple to fix it so the IP address is no longer part of the app notarization. Apple already acknowledged it as a valid concern and is planning to remove it sometime in the next few months.
My comment was more in response to "Every time you open a web page your IP address is exposed." IP address obfuscation is a great way to (help) hide your identity.
Every time you open a web page your IP address is exposed. Is it possible that someone could infer where your requests are coming from based on your IP address? Sure, just like anyone has been able to do since the creation of the internet more than 30 years ago.The certificate serial number has no personally identifiable information related to YOU. It only identifies the bundle of code that is associated with the certificate, for example, a conspiracy storyboarding application.
If you believe that any of this is a huge privacy risk, put your computer behind a VPN or disconnect it from the internet. Problem solved.
This methodology works quite well for normal browsing and provides a great deal of anonymity.
Has it really been only 30 years since Al Gore created the internet? How time flies! I could swear it was 40 years ago when I worked at ANL.
Yes it's been more than 30 years, but I guess we should check with Al just to be sure. ;-) Some of us were using the internet and ARPANET before HTML made the internet user friendly for the masses - of advertisers, whiners, social media junkies, and conspiracy theorists. If only we could go back to the halcyon days of VT220s and ASCII art ... sigh.
What mess? I’ve upgraded one of my Macs and it’s been working perfectly, even with some non-standard apps that I didn’t think would work.
What’s your concern?
Thanks. My concern is privacy. I don’t want Apple to be aware of where I am, what I use and when. It’s why I chose Apple over Google.
Man: you should read the fine print better as Apple aggregates a lot of data about their users to improve experience and whatever else. Is not FB or Google or Amazon, is Apple, the company with the highest stock market capitalization of all times. All these companies track people and use that info to their advantage in many ways. Stock market capitalization is (also) pointing that. You should be long AAPL (or the others) as the dominant position will not disappear soon, but do not buy all the fairy tales / marketing messages of “don’t do evil”. Is capitalism at his best, still unregulated as is a global problem (like tax elusion).
Every time you open a web page your IP address is exposed. Is it possible that someone could infer where your requests are coming from based on your IP address? Sure, just like anyone has been able to do since the creation of the internet more than 30 years ago.The certificate serial number has no personally identifiable information related to YOU. It only identifies the bundle of code that is associated with the certificate, for example, a conspiracy storyboarding application.
If you believe that any of this is a huge privacy risk, put your computer behind a VPN or disconnect it from the internet. Problem solved.
This methodology works quite well for normal browsing and provides a great deal of anonymity.
Has it really been only 30 years since Al Gore created the internet? How time flies! I could swear it was 40 years ago when I worked at ANL.
Or wait for Apple to fix it so the IP address is no longer part of the app notarization. Apple already acknowledged it as a valid concern and is planning to remove it sometime in the next few months.
This isn't about notarization, it's about revocation. If you really want to boil it down do its essence it's really about Apple logging which IP addresses have submitted revocation checks on which certificates. There's no way to remove the IP address because it is a necessary part of the routing information associated with the network messaging. I think this will eventually fall into the same category as the "Do Not Track" settings in Safari where you are "politely asking" web servers not to keep any trackable information around even though they already have that information in their hands. Perhaps we'll see a "Do Not Log" setting that users can turn on to tell OCSP responders not to log the information they receive during revocation checks.
Again, it's all about the trust relationship between you and Apple. If you don't trust Apple and if you could opt-out of all of Apple's security protections, would you? This would mean signing something that would indemnify Apple for any and all losses that you suffer while using an Apple computer. You would take full responsibility for ensuring that everything that lands on your computer is safe and will not cause you any harm, i.e., you're on your own buddy - good luck. You become the trust authority - based on what knowledge? If you lose personal property, lose access to your computer, or have your personal information stolen from you due to malware, ransomware, or any form of nefarious software that YOU allowed on your computer because you trusted it, you'd be all alone and SOL, but yeah, Apple wouldn't potentially know that you're launching your favorite video game or making TikToc videos every day when you really should be working. It's all about weighing the trade-offs and balancing pragmatism with ideology.
Every time you open a web page your IP address is exposed. Is it possible that someone could infer where your requests are coming from based on your IP address? Sure, just like anyone has been able to do since the creation of the internet more than 30 years ago.The certificate serial number has no personally identifiable information related to YOU. It only identifies the bundle of code that is associated with the certificate, for example, a conspiracy storyboarding application.
If you believe that any of this is a huge privacy risk, put your computer behind a VPN or disconnect it from the internet. Problem solved.
This methodology works quite well for normal browsing and provides a great deal of anonymity.
Has it really been only 30 years since Al Gore created the internet? How time flies! I could swear it was 40 years ago when I worked at ANL.
Or wait for Apple to fix it so the IP address is no longer part of the app notarization. Apple already acknowledged it as a valid concern and is planning to remove it sometime in the next few months.
This isn't about notarization, it's about revocation. If you really want to boil it down do its essence it's really about Apple logging which IP addresses have submitted revocation checks on which certificates. There's no way to remove the IP address because it is a necessary part of the routing information associated with the network messaging. I think this will eventually fall into the same category as the "Do Not Track" settings in Safari where you are "politely asking" web servers not to keep any trackable information around even though they already have that information in their hands. Perhaps we'll see a "Do Not Log" setting that users can turn on to tell OCSP responders not to log the information they receive during revocation checks.
Again, it's all about the trust relationship between you and Apple. If you don't trust Apple and if you could opt-out of all of Apple's security protections, would you? This would mean signing something that would indemnify Apple for any and all losses that you suffer while using an Apple computer. You would take full responsibility for ensuring that everything that lands on your computer is safe and will not cause you any harm, i.e., you're on your own buddy - good luck. You become the trust authority - based on what knowledge? If you lose personal property, lose access to your computer, or have your personal information stolen from you due to malware, ransomware, or any form of nefarious software that YOU allowed on your computer because you trusted it, you'd be all alone and SOL, but yeah, Apple wouldn't potentially know that you're launching your favorite video game or making TikToc videos every day when you really should be working. It's all about weighing the trade-offs and balancing pragmatism with ideology.
FWIW Apple has also said that within the next 12 months there will be a user toggle for opting out of all the security protections offered by macOS. Would that take care of the concern you have?
Every time you open a web page your IP address is exposed. Is it possible that someone could infer where your requests are coming from based on your IP address? Sure, just like anyone has been able to do since the creation of the internet more than 30 years ago.The certificate serial number has no personally identifiable information related to YOU. It only identifies the bundle of code that is associated with the certificate, for example, a conspiracy storyboarding application.
If you believe that any of this is a huge privacy risk, put your computer behind a VPN or disconnect it from the internet. Problem solved.
This methodology works quite well for normal browsing and provides a great deal of anonymity.
Has it really been only 30 years since Al Gore created the internet? How time flies! I could swear it was 40 years ago when I worked at ANL.
Or wait for Apple to fix it so the IP address is no longer part of the app notarization. Apple already acknowledged it as a valid concern and is planning to remove it sometime in the next few months.
This isn't about notarization, it's about revocation. If you really want to boil it down do its essence it's really about Apple logging which IP addresses have submitted revocation checks on which certificates. There's no way to remove the IP address because it is a necessary part of the routing information associated with the network messaging. I think this will eventually fall into the same category as the "Do Not Track" settings in Safari where you are "politely asking" web servers not to keep any trackable information around even though they already have that information in their hands. Perhaps we'll see a "Do Not Log" setting that users can turn on to tell OCSP responders not to log the information they receive during revocation checks.
Again, it's all about the trust relationship between you and Apple. If you don't trust Apple and if you could opt-out of all of Apple's security protections, would you? This would mean signing something that would indemnify Apple for any and all losses that you suffer while using an Apple computer. You would take full responsibility for ensuring that everything that lands on your computer is safe and will not cause you any harm, i.e., you're on your own buddy - good luck. You become the trust authority - based on what knowledge? If you lose personal property, lose access to your computer, or have your personal information stolen from you due to malware, ransomware, or any form of nefarious software that YOU allowed on your computer because you trusted it, you'd be all alone and SOL, but yeah, Apple wouldn't potentially know that you're launching your favorite video game or making TikToc videos every day when you really should be working. It's all about weighing the trade-offs and balancing pragmatism with ideology.
FWIW Apple has also said that within the next 12 months there will be a user toggle for opting out of all the security protections offered by macOS. Would that take care of the concern you have?
I trust Apple, so being able to opt-out is not a concern of mine.
Every time you open a web page your IP address is exposed. Is it possible that someone could infer where your requests are coming from based on your IP address? Sure, just like anyone has been able to do since the creation of the internet more than 30 years ago.The certificate serial number has no personally identifiable information related to YOU. It only identifies the bundle of code that is associated with the certificate, for example, a conspiracy storyboarding application.
If you believe that any of this is a huge privacy risk, put your computer behind a VPN or disconnect it from the internet. Problem solved.
This methodology works quite well for normal browsing and provides a great deal of anonymity.
Has it really been only 30 years since Al Gore created the internet? How time flies! I could swear it was 40 years ago when I worked at ANL.
I make it a point to always respond to the continuing lies about Al Gore's contributions to the Internet. George Bush's distortions about Gore continues to pervade the internet and comments. Massive lying and misinformation started before Trump. So, here's what the computer scientists who define the internet protocols actually said. And please inform your friends and colleagues to stop pushing the myth that it was Gore who was lying.
----------------------
Al Gore and the Internet
By Robert Kahn and Vinton Cerf
Dated: 28 Sep 2000
Al Gore was the first political leader to recognize the importance of the Internet and to promote and support its development.
No one person or even small group of persons exclusively invented the Internet. It is the result of many years of ongoing collaboration among people in government and the university community. But as the two people who designed the basic architecture and the core protocols that make the Internet work, we would like to acknowledge VP Gore’s contributions as a Congressman, Senator and as Vice President. No other elected official, to our knowledge, has made a greater contribution over a longer period of time.
Last year the Vice President made a straightforward statement on his role. He said: “During my service in the United States Congress I took the initiative in creating the Internet.” We don’t think, as some people have argued, that Gore intended to claim he invented the Internet. Moreover, there is no question in our minds that while serving as Senator, Gore’s initiatives had a significant and beneficial effect on the still-evolving Internet. The fact of the matter is that Gore was talking about and promoting the Internet long before most people were listening. We feel it is timely to offer our perspective.
As far back as the 1970s Congressman Gore promoted the idea of high speed telecommunications as an engine for both economic growth and the improvement of our educational system. He was the first elected official to grasp the potential of computer communications to have a broader impact than just improving the conduct of science and scholarship. Though easily forgotten, now, at the time this was an unproven and controversial concept. Our work on the Internet started in 1973 and was based on even earlier work that took place in the mid-late 1960s. But the Internet, as we know it today, was not deployed until 1983. When the Internet was still in the early stages of its deployment, Congressman Gore provided intellectual leadership by helping create the vision of the potential benefits of high speed computing and communication. As an example, he sponsored hearings on how advanced technologies might be put to use in areas like coordinating the response of government agencies to natural disasters and other crises.
As a Senator in the 1980s Gore urged government agencies to consolidate what at the time were several dozen different and unconnected networks into an Interagency Network. Working in a bi-partisan manner with officials in Ronald Reagan and George Bush’s administrations, Gore secured the passage of the High Performance Computing and Communications Act in 1991. This Gore Act supported the National Research and Education Network (NREN) initiative that became one of the major vehicles for the spread of the Internet beyond the field of computer science.
As Vice President Gore promoted building the Internet both up and out, as well as releasing the Internet from the control of the government agencies that spawned it. He served as the major administration proponent for continued investment in advanced computing and networking and private sector initiatives such as Net Day. He was and is a strong proponent of extending access to the network to schools and libraries. Today, approximately 95% of our nations schools are on the Internet. Gore provided much-needed political support for the speedy privatization of the Internet when the time arrived for it to become a commercially-driven operation.
There are many factors that have contributed to the Internet’s rapid growth since the later 1980s, not the least of which has been political support for its privatization and continued support for research in advanced networking technology. No one in public life has been more intellectually engaged in helping to create the climate for a thriving Internet than the Vice President. Gore has been a clear champion of this effort, both in the councils of government and with the public at large.
The Vice President deserves credit for his early recognition of the value of high speed computing and communication and for his long-term and consistent articulation of the potential value of the Internet to American citizens and industry and, indeed, to the rest of the world.
Article points out numerous security and privacy issues but seeks to diminish them using highly dubious reasoning. Headline is inappropriate.
Yes it very much is an issue and Apple should know better.
Have to agree here.
Apple doesn’t need to track what I do. Period.
Especially when privacy is a market differentiator for them.
And notarization sounds great on one hand and horrible on the other.
I do t want Apple controlling what podcast I listen to, what app I use, or knowing about my activities at all.
An option to toggle on or off is good. Like those crash report windows. You can choose to send to Apple or not.
If I want to use Parler instead of Twitter, Apple should be none the wise other than the fact I downloaded an app - for Apple ID account and managing which apps I have and which I don’t.
Apple can track their server activity. Not mine. I. E. Downloads sole can track. Opens and use, not so much.
Every time you open a web page your IP address is exposed. Is it possible that someone could infer where your requests are coming from based on your IP address? Sure, just like anyone has been able to do since the creation of the internet more than 30 years ago.The certificate serial number has no personally identifiable information related to YOU. It only identifies the bundle of code that is associated with the certificate, for example, a conspiracy storyboarding application.
If you believe that any of this is a huge privacy risk, put your computer behind a VPN or disconnect it from the internet. Problem solved.
This methodology works quite well for normal browsing and provides a great deal of anonymity.
Has it really been only 30 years since Al Gore created the internet? How time flies! I could swear it was 40 years ago when I worked at ANL.
I make it a point to always respond to the continuing lies about Al Gore's contributions to the Internet. George Bush's distortions about Gore continues to pervade the internet and comments. Massive lying and misinformation started before Trump. So, here's what the computer scientists who define the internet protocols actually said. And please inform your friends and colleagues to stop pushing the myth that it was Gore who was lying.
----------------------
Al Gore and the Internet
By Robert Kahn and Vinton Cerf
Dated: 28 Sep 2000
Al Gore was the first political leader to recognize the importance of the Internet and to promote and support its development.
No one person or even small group of persons exclusively invented the Internet. It is the result of many years of ongoing collaboration among people in government and the university community. But as the two people who designed the basic architecture and the core protocols that make the Internet work, we would like to acknowledge VP Gore’s contributions as a Congressman, Senator and as Vice President. No other elected official, to our knowledge, has made a greater contribution over a longer period of time.
Last year the Vice President made a straightforward statement on his role. He said: “During my service in the United States Congress I took the initiative in creating the Internet.” We don’t think, as some people have argued, that Gore intended to claim he invented the Internet. Moreover, there is no question in our minds that while serving as Senator, Gore’s initiatives had a significant and beneficial effect on the still-evolving Internet. The fact of the matter is that Gore was talking about and promoting the Internet long before most people were listening. We feel it is timely to offer our perspective.
As far back as the 1970s Congressman Gore promoted the idea of high speed telecommunications as an engine for both economic growth and the improvement of our educational system. He was the first elected official to grasp the potential of computer communications to have a broader impact than just improving the conduct of science and scholarship. Though easily forgotten, now, at the time this was an unproven and controversial concept. Our work on the Internet started in 1973 and was based on even earlier work that took place in the mid-late 1960s. But the Internet, as we know it today, was not deployed until 1983. When the Internet was still in the early stages of its deployment, Congressman Gore provided intellectual leadership by helping create the vision of the potential benefits of high speed computing and communication. As an example, he sponsored hearings on how advanced technologies might be put to use in areas like coordinating the response of government agencies to natural disasters and other crises.
As a Senator in the 1980s Gore urged government agencies to consolidate what at the time were several dozen different and unconnected networks into an Interagency Network. Working in a bi-partisan manner with officials in Ronald Reagan and George Bush’s administrations, Gore secured the passage of the High Performance Computing and Communications Act in 1991. This Gore Act supported the National Research and Education Network (NREN) initiative that became one of the major vehicles for the spread of the Internet beyond the field of computer science.
As Vice President Gore promoted building the Internet both up and out, as well as releasing the Internet from the control of the government agencies that spawned it. He served as the major administration proponent for continued investment in advanced computing and networking and private sector initiatives such as Net Day. He was and is a strong proponent of extending access to the network to schools and libraries. Today, approximately 95% of our nations schools are on the Internet. Gore provided much-needed political support for the speedy privatization of the Internet when the time arrived for it to become a commercially-driven operation.
There are many factors that have contributed to the Internet’s rapid growth since the later 1980s, not the least of which has been political support for its privatization and continued support for research in advanced networking technology. No one in public life has been more intellectually engaged in helping to create the climate for a thriving Internet than the Vice President. Gore has been a clear champion of this effort, both in the councils of government and with the public at large.
The Vice President deserves credit for his early recognition of the value of high speed computing and communication and for his long-term and consistent articulation of the potential value of the Internet to American citizens and industry and, indeed, to the rest of the world.
------------------------------
The direct Gore quote is “During my service in the United States Congress, I took the initiative in creating the Internet." What Kahn and Cerf "think" of this quote is just that... What they think. It's is their opinion, nothing more. Regardless of their opinion, Gore did state that he created the internet. I said nothing more than that.
Politicians (and perhaps people) as a whole tend to blow their own horn and inflate their achievements and self-worth. Had Gore stated something to the effect that he sponsored / spearheaded legislation which helped expand ARPANET into the publicly accessed network known as the internet. He did not. The foundations of the internet began in the 1960's and evolved over time into what we have today. While Gore may have had a significant hand in the legislative aspect of the internet's development as we know it, he absolutely did not create it.
As for "Massive lying and misinformation started before Trump." Absolutely correct! We cannot forget Obama, Bush (43), Clinton, Bush (41) or most any other President / politician / human being.
1. OCSP is not encrypted by default, and the RFC (https://tools.ietf.org/html/rfc6960) states that "where privacy is a requirement, OCSP transactions exchanged using HTTP MAY be protected using either Transport Layer Security/Secure Socket Layer (TLS/SSL) or some other lower-layer protocol."
2. It is reported that Apple does not use encryption for its OCSP requests.
3. The request contains personnal information.
Thus Apple's use of OCSP leaks personnal information on the network.
Opinion:
That other data or metadata is available via other means to ISPs, networks operators, CDNs etc. is of no importance here. The topic is: OCSP leaks information. Why? Is it important? And what should Apple have done about it? Arguing that apps use ports etc. is just whataboutism.
Why does Apple use unsecure OCSP to transfer personnal data/metadata? Because it is their technical choice.
Is it important? As the RFC states, it depends on the "privacy requirement". For everyday mac users, maybe not, but that's not enough to disqualify the original blog post security issues as too far fetched. Especially when Apple is marketing its devices on the promise of data privacy. That marketing targets users who's "privacy requirements" are obviously high from the beginning.
What should Apple have done about it? Encrypt the metadata. Inform the users. Let the users disable the feature as a security compromise of their own choosing after warning them of what comes with the decision.
Because the article fails to explains the simple facts, and points the finger to other issues that are not the subject discussed, its conclusion is lacking objectivity. There is something to be said of Apple, a company that usually pushes the boundaries when it comes to standards and RFCs, when they implement a solution in an unsecure way. Be it only to remind everyone that marketing is marketing, and security is engineering.
1. OCSP is not encrypted by default, and the RFC (https://tools.ietf.org/html/rfc6960) states that "where privacy is a requirement, OCSP transactions exchanged using HTTP MAY be protected using either Transport Layer Security/Secure Socket Layer (TLS/SSL) or some other lower-layer protocol."
2. It is reported that Apple does not use encryption for its OCSP requests.
3. The request contains personnal information.
Thus Apple's use of OCSP leaks personnal information on the network.
Opinion:
That other data or metadata is available via other means to ISPs, networks operators, CDNs etc. is of no importance here. The topic is: OCSP leaks information. Why? Is it important? And what should Apple have done about it? Arguing that apps use ports etc. is just whataboutism.
Why does Apple use unsecure OCSP to transfer personnal data/metadata? Because it is their technical choice.
Is it important? As the RFC states, it depends on the "privacy requirement". For everyday mac users, maybe not, but that's not enough to disqualify the original blog post security issues as too far fetched. Especially when Apple is marketing its devices on the promise of data privacy. That marketing targets users who's "privacy requirements" are obviously high from the beginning.
What should Apple have done about it? Encrypt the metadata. Inform the users. Let the users disable the feature as a security compromise of their own choosing after warning them of what comes with the decision.
Because the article fails to explains the simple facts, and points the finger to other issues that are not the subject discussed, its conclusion is lacking objectivity. There is something to be said of Apple, a company that usually pushes the boundaries when it comes to standards and RFCs, when they implement a solution in an unsecure way. Be it only to remind everyone that marketing is marketing, and security is engineering.
So you are saying that Apple is lying when it says that they do not include any personally identifiable information in OCSP requests?
macOS has been designed to keep users and their data safe while respecting their privacy.
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.
These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the the next year we will introduce several changes to our security checks:
A new encrypted protocol for Developer ID certificate revocation checks
Strong protections against server failure
A new preference for users to opt out of these security protections”
You are making claims that are contradictory to what Apple has publicly stated. There are far too many cash strapped lawyers on the planet for Apple to serve up a softball in the form of an obvious lie.
As far as not encrypting OCSP requests, if there is no personally identifiable information (PII) in the request, what is the concern from a privacy standpoint? There are other legitimate concerns related to security, as in an inherent vulnerability to man in the middle attacks, but if Apple is telling the truth, why all the fuss? As you see above, they will be upgrading to encrypted protocol soon.
As I said, it’s all about trust. Either you trust that Apple is using OCSP and notarization to protect you from apps/binaries that have been revoked or tampered, respectively, you trust that Apple isn’t hiding any PII in the revocation checks, and you trust that Apple isn’t saving IP addresses in their logs ... or you don’t. If you don’t trust Apple, why keep using their stuff? Microsoft, Google, and the Linux world are as eager as Apple to earn your trust, but keep in mind that Microsoft and Google have their own processes in place to handle the same requirements. In Google’s case, it’s a homegrown solution, which should make you feel very very comfortable - or maybe not.
Also note that the “opt-out” option is related to revocation. There is nothing stating that Apple will allow users to “opt-out of all security.” I’d be interested to know why anyone running a connected computer would opt-out of revocation checking, but what the heck, having been personally impacted by the Stuxnet debacle my perspective is different than some other folks.
1. OCSP is not encrypted by default, and the RFC (https://tools.ietf.org/html/rfc6960) states that "where privacy is a requirement, OCSP transactions exchanged using HTTP MAY be protected using either Transport Layer Security/Secure Socket Layer (TLS/SSL) or some other lower-layer protocol."
2. It is reported that Apple does not use encryption for its OCSP requests.
3. The request contains personnal information.
Thus Apple's use of OCSP leaks personnal information on the network.
Opinion:
That other data or metadata is available via other means to ISPs, networks operators, CDNs etc. is of no importance here. The topic is: OCSP leaks information. Why? Is it important? And what should Apple have done about it? Arguing that apps use ports etc. is just whataboutism.
Why does Apple use unsecure OCSP to transfer personnal data/metadata? Because it is their technical choice.
Is it important? As the RFC states, it depends on the "privacy requirement". For everyday mac users, maybe not, but that's not enough to disqualify the original blog post security issues as too far fetched. Especially when Apple is marketing its devices on the promise of data privacy. That marketing targets users who's "privacy requirements" are obviously high from the beginning.
What should Apple have done about it? Encrypt the metadata. Inform the users. Let the users disable the feature as a security compromise of their own choosing after warning them of what comes with the decision.
Because the article fails to explains the simple facts, and points the finger to other issues that are not the subject discussed, its conclusion is lacking objectivity. There is something to be said of Apple, a company that usually pushes the boundaries when it comes to standards and RFCs, when they implement a solution in an unsecure way. Be it only to remind everyone that marketing is marketing, and security is engineering.
Actual facts: 1 and 2 are correct. 3 is not.
While your personal definition may vary, the request neither contains parseable personal information by any actual or legal definition given the hash -- and not clear text -- of either the name of the application opening or the developer's name depending on who you listen to, nor a way to tie that hash after the fact to a user or user account, despite claims to the contrary by the original researcher -- and this was clear before Apple's clarification on Sunday night.
There is no "location data" as one poster here claimed beyond an IP sent, no usage information, or anything about what's being done, at all. There has never been any account information of any sort sent, and now we know that even IP addresses have been deleted and won't be retained going forward.
Furthermore, it doesn't qualify as a "leak" since it requires a MITM attack to harvest.
Opinion: The original researcher found low-hanging fruit to generate traffic, and it worked. And, there is a difference between education and whataboutism. Malcolm's choice to discuss ports and the overall transparency of Internet routing and networking is education, as AppleInsider is for everybody of all skill levels, and not just the networking knowledgeable such as yourself.
You are obviously welcome to interpret the news how you see fit, as humans are likely to do based on a number of factors, not the least of which are geography and career paths. However, the researcher calling it the end of privacy and other hyperbole was noise coupled with very little actual signal and no reader education.
Sending data in the open in 2020 is simply unacceptable. And bypassing VPN makes it even worse. If I lived in Hong Kong or North Korea and launched a VPN app then launched Tor browser to access some information deemed as illegal by comrades - and the hash sent in the open can identify the developer or app + my IP is traceable (because of bypassed VPN) - this activity would directly put my life in danger.
Apple did acknowledge some issues this weekend, essentially validating what the security researcher Jeffry Paul reported. So over the next year Apple will be making security enhancement changes such as stop logging IP addresses when checking for app notarizations. Sometime over the next twelve months they will also be making changes in delivery methodologies to help mitigate server failures.
...And of more importance to some users Apple will release a Mac update that allows the computer owner to opt-out of using the macOS security protections the researcher found to be potentially problematic.
Apple did not acknowledge what Jeffry Paul reported - what is sent is a hash of the DEVELOPER CERTIFICATE, not a hash of the app launched. This is a signifiant difference - Apple does not know what app was launched, just who the developer is. And the information sent to Apple does not identify the Apple user. It does include the IP address which *might* be linked to an Apple user, but that's it.
Apple did acknowledge some issues this weekend, essentially validating what the security researcher Jeffry Paul reported. So over the next year Apple will be making security enhancement changes such as stop logging IP addresses when checking for app notarizations. Sometime over the next twelve months they will also be making changes in delivery methodologies to help mitigate server failures.
...And of more importance to some users Apple will release a Mac update that allows the computer owner to opt-out of using the macOS security protections the researcher found to be potentially problematic.
Apple did not acknowledge what Jeffry Paul reported - what is sent is a hash of the DEVELOPER CERTIFICATE, not a hash of the app launched. This is a signifiant difference - Apple does not know what app was launched, just who the developer is. And the information sent to Apple does not identify the Apple user. It does include the IP address which *might* be linked to an Apple user, but that's it.
Yes indeed. All of the claims that Apple is sending out unencrypted hashes of app certificates are false. There are infrequent cases where Apple does query for notarization information about a specific app, but these requests are not part of OCSP and are done over an encrypted transport. Of course Mr Paul has doubled down on his “application hash” claim by claiming that most developers only ship one app, therefore the app that’s being checked can be inferred, just like obtaining the IP of the requester can infer the genome sequence of the individual using the computer.
Frankly, anyone who understands DNS can effectively disable the OCSP function. All of your apps will still launch, perhaps after an occasional time-out, because macOS has to be able to run disconnected. It all comes down to whether you are comfortable disabling a major security feature on you computer that was developed in response to a series of actual security breaches that have occurred in the wild. The capability that Apple, Microsoft, and most web browsers are using has been widely deployed for many years and had Apple’s servers not buckled under the stress of the Big Sur release we wouldn’t be talking about it at all.
Every time you open a web page your IP address is exposed. Is it possible that someone could infer where your requests are coming from based on your IP address? Sure, just like anyone has been able to do since the creation of the internet more than 30 years ago.The certificate serial number has no personally identifiable information related to YOU. It only identifies the bundle of code that is associated with the certificate, for example, a conspiracy storyboarding application.
If you believe that any of this is a huge privacy risk, put your computer behind a VPN or disconnect it from the internet. Problem solved.
This methodology works quite well for normal browsing and provides a great deal of anonymity.
Has it really been only 30 years since Al Gore created the internet? How time flies! I could swear it was 40 years ago when I worked at ANL.
I make it a point to always respond to the continuing lies about Al Gore's contributions to the Internet. George Bush's distortions about Gore continues to pervade the internet and comments. Massive lying and misinformation started before Trump. So, here's what the computer scientists who define the internet protocols actually said. And please inform your friends and colleagues to stop pushing the myth that it was Gore who was lying.
----------------------
Al Gore and the Internet
By Robert Kahn and Vinton Cerf
Dated: 28 Sep 2000
Al Gore was the first political leader to recognize the importance of the Internet and to promote and support its development.
No one person or even small group of persons exclusively invented the Internet. It is the result of many years of ongoing collaboration among people in government and the university community. But as the two people who designed the basic architecture and the core protocols that make the Internet work, we would like to acknowledge VP Gore’s contributions as a Congressman, Senator and as Vice President. No other elected official, to our knowledge, has made a greater contribution over a longer period of time.
Last year the Vice President made a straightforward statement on his role. He said: “During my service in the United States Congress I took the initiative in creating the Internet.” We don’t think, as some people have argued, that Gore intended to claim he invented the Internet. Moreover, there is no question in our minds that while serving as Senator, Gore’s initiatives had a significant and beneficial effect on the still-evolving Internet. The fact of the matter is that Gore was talking about and promoting the Internet long before most people were listening. We feel it is timely to offer our perspective.
As far back as the 1970s Congressman Gore promoted the idea of high speed telecommunications as an engine for both economic growth and the improvement of our educational system. He was the first elected official to grasp the potential of computer communications to have a broader impact than just improving the conduct of science and scholarship. Though easily forgotten, now, at the time this was an unproven and controversial concept. Our work on the Internet started in 1973 and was based on even earlier work that took place in the mid-late 1960s. But the Internet, as we know it today, was not deployed until 1983. When the Internet was still in the early stages of its deployment, Congressman Gore provided intellectual leadership by helping create the vision of the potential benefits of high speed computing and communication. As an example, he sponsored hearings on how advanced technologies might be put to use in areas like coordinating the response of government agencies to natural disasters and other crises.
As a Senator in the 1980s Gore urged government agencies to consolidate what at the time were several dozen different and unconnected networks into an Interagency Network. Working in a bi-partisan manner with officials in Ronald Reagan and George Bush’s administrations, Gore secured the passage of the High Performance Computing and Communications Act in 1991. This Gore Act supported the National Research and Education Network (NREN) initiative that became one of the major vehicles for the spread of the Internet beyond the field of computer science.
As Vice President Gore promoted building the Internet both up and out, as well as releasing the Internet from the control of the government agencies that spawned it. He served as the major administration proponent for continued investment in advanced computing and networking and private sector initiatives such as Net Day. He was and is a strong proponent of extending access to the network to schools and libraries. Today, approximately 95% of our nations schools are on the Internet. Gore provided much-needed political support for the speedy privatization of the Internet when the time arrived for it to become a commercially-driven operation.
There are many factors that have contributed to the Internet’s rapid growth since the later 1980s, not the least of which has been political support for its privatization and continued support for research in advanced networking technology. No one in public life has been more intellectually engaged in helping to create the climate for a thriving Internet than the Vice President. Gore has been a clear champion of this effort, both in the councils of government and with the public at large.
The Vice President deserves credit for his early recognition of the value of high speed computing and communication and for his long-term and consistent articulation of the potential value of the Internet to American citizens and industry and, indeed, to the rest of the world.
------------------------------
The direct Gore quote is “During my service in the United States Congress, I took the initiative in creating the Internet." What Kahn and Cerf "think" of this quote is just that... What they think. It's is their opinion, nothing more. Regardless of their opinion, Gore did state that he created the internet. I said nothing more than that.
Politicians (and perhaps people) as a whole tend to blow their own horn and inflate their achievements and self-worth. Had Gore stated something to the effect that he sponsored / spearheaded legislation which helped expand ARPANET into the publicly accessed network known as the internet. He did not. The foundations of the internet began in the 1960's and evolved over time into what we have today. While Gore may have had a significant hand in the legislative aspect of the internet's development as we know it, he absolutely did not create it.
As for "Massive lying and misinformation started before Trump." Absolutely correct! We cannot forget Obama, Bush (43), Clinton, Bush (41) or most any other President / politician / human being.
Umm... no.
"I took the initiative in creating the internet" =/= "I created the internet".
The internet was created. A lot of people and organizations played different parts in its creation. "Took the initiative" is one of those parts, or possibly even a part of one of those parts. In that statement, Al Gore (correctly or not) is claiming credit for that particular part, not the creation of the internet in entirety.
Perhaps then the question is "Well what does 'took the initiative' in that context even mean?" It's arguable that the description by Robert Kahn and Vinton Cerf is a pretty reasonable outline of what it might have meant.
Needless to say... I'm not taking a stand on this matter as to what contributions Al Gore did or didn't make to the internet. I'm merely pointing out that those words Al Gore allegedly said, do NOT mean "I created the internet" by any educated understanding of the English language.
Who cares if PRISM is shutdown, they have a new program that everyone will deny until the next whistleblower comes forward.
Echelon, Topsail, TIA (Total Information Awareness), TIA (Terroism Information Awareness), PRISM, etc. these programs come, get public awareness, get defunded, just to be resurrected under a different name, to get shut down and defunded, moved to private industry which then must cooperate by means of national security requests that make it even illegal for them to admit or talk about getting such requests, which means they are legally obliged to lie to your face and say they aren’t collecting data for the government.
That said, I don’t see these OCSP requests as troublesome, what is, however SCANDALOUS is the existence of a non-user-modifiable ContentFilterExclusionList.
This is a gaping security hole, and one that allows Apple under “government coercion” to selectively (based on AppleID) install non-blockable spyware on a user’s computer. In Germany the BND is actively pushing the use of Trojans to combat end-to-end encryption, and Apple is holding the door open for them!
Comments
Yeah, I'm a real apex predator, stalking the AppleInsider forums for forumite prey, making hundreds of benign posts to blend in with the crowd. And then, when they least expect it, I post about a gripe with Apple and then I've got them, another forumite fooled!
I guess then I eat them or something? I'm not really sure what the end game to this deception is supposed to be. That's the point where all this "paid shill" nonsense that Apple fanboys throw around falls apart; it just doesn't make any sense.
Again, it's all about the trust relationship between you and Apple. If you don't trust Apple and if you could opt-out of all of Apple's security protections, would you? This would mean signing something that would indemnify Apple for any and all losses that you suffer while using an Apple computer. You would take full responsibility for ensuring that everything that lands on your computer is safe and will not cause you any harm, i.e., you're on your own buddy - good luck. You become the trust authority - based on what knowledge? If you lose personal property, lose access to your computer, or have your personal information stolen from you due to malware, ransomware, or any form of nefarious software that YOU allowed on your computer because you trusted it, you'd be all alone and SOL, but yeah, Apple wouldn't potentially know that you're launching your favorite video game or making TikToc videos every day when you really should be working. It's all about weighing the trade-offs and balancing pragmatism with ideology.
When I open BBEDIT, MacOS asks me to enter the password of the ID under which I purchased BBEDIT. And its seems to ask EVERY TIME.
Under no circumstances is this acceptable.
I make it a point to always respond to the continuing lies about Al Gore's contributions to the Internet. George Bush's distortions about Gore continues to pervade the internet and comments. Massive lying and misinformation started before Trump. So, here's what the computer scientists who define the internet protocols actually said. And please inform your friends and colleagues to stop pushing the myth that it was Gore who was lying.
----------------------
Al Gore and the Internet
By Robert Kahn and Vinton Cerf
Dated: 28 Sep 2000
Al Gore was the first political leader to recognize the importance of the Internet and to promote and support its development.
No one person or even small group of persons exclusively invented the Internet. It is the result of many years of ongoing collaboration among people in government and the university community. But as the two people who designed the basic architecture and the core protocols that make the Internet work, we would like to acknowledge VP Gore’s contributions as a Congressman, Senator and as Vice President. No other elected official, to our knowledge, has made a greater contribution over a longer period of time.
Last year the Vice President made a straightforward statement on his role. He said: “During my service in the United States Congress I took the initiative in creating the Internet.” We don’t think, as some people have argued, that Gore intended to claim he invented the Internet. Moreover, there is no question in our minds that while serving as Senator, Gore’s initiatives had a significant and beneficial effect on the still-evolving Internet. The fact of the matter is that Gore was talking about and promoting the Internet long before most people were listening. We feel it is timely to offer our perspective.
As far back as the 1970s Congressman Gore promoted the idea of high speed telecommunications as an engine for both economic growth and the improvement of our educational system. He was the first elected official to grasp the potential of computer communications to have a broader impact than just improving the conduct of science and scholarship. Though easily forgotten, now, at the time this was an unproven and controversial concept. Our work on the Internet started in 1973 and was based on even earlier work that took place in the mid-late 1960s. But the Internet, as we know it today, was not deployed until 1983. When the Internet was still in the early stages of its deployment, Congressman Gore provided intellectual leadership by helping create the vision of the potential benefits of high speed computing and communication. As an example, he sponsored hearings on how advanced technologies might be put to use in areas like coordinating the response of government agencies to natural disasters and other crises.
As a Senator in the 1980s Gore urged government agencies to consolidate what at the time were several dozen different and unconnected networks into an Interagency Network. Working in a bi-partisan manner with officials in Ronald Reagan and George Bush’s administrations, Gore secured the passage of the High Performance Computing and Communications Act in 1991. This Gore Act supported the National Research and Education Network (NREN) initiative that became one of the major vehicles for the spread of the Internet beyond the field of computer science.
As Vice President Gore promoted building the Internet both up and out, as well as releasing the Internet from the control of the government agencies that spawned it. He served as the major administration proponent for continued investment in advanced computing and networking and private sector initiatives such as Net Day. He was and is a strong proponent of extending access to the network to schools and libraries. Today, approximately 95% of our nations schools are on the Internet. Gore provided much-needed political support for the speedy privatization of the Internet when the time arrived for it to become a commercially-driven operation.
There are many factors that have contributed to the Internet’s rapid growth since the later 1980s, not the least of which has been political support for its privatization and continued support for research in advanced networking technology. No one in public life has been more intellectually engaged in helping to create the climate for a thriving Internet than the Vice President. Gore has been a clear champion of this effort, both in the councils of government and with the public at large.
The Vice President deserves credit for his early recognition of the value of high speed computing and communication and for his long-term and consistent articulation of the potential value of the Internet to American citizens and industry and, indeed, to the rest of the world.
------------------------------
Politicians (and perhaps people) as a whole tend to blow their own horn and inflate their achievements and self-worth. Had Gore stated something to the effect that he sponsored / spearheaded legislation which helped expand ARPANET into the publicly accessed network known as the internet. He did not. The foundations of the internet began in the 1960's and evolved over time into what we have today. While Gore may have had a significant hand in the legislative aspect of the internet's development as we know it, he absolutely did not create it.
As for "Massive lying and misinformation started before Trump." Absolutely correct! We cannot forget Obama, Bush (43), Clinton, Bush (41) or most any other President / politician / human being.
https://support.apple.com/en-us/HT202491
“
Privacy protections
macOS has been designed to keep users and their data safe while respecting their privacy.
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.
These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the the next year we will introduce several changes to our security checks:
You are making claims that are contradictory to what Apple has publicly stated. There are far too many cash strapped lawyers on the planet for Apple to serve up a softball in the form of an obvious lie.
As far as not encrypting OCSP requests, if there is no personally identifiable information (PII) in the request, what is the concern from a privacy standpoint? There are other legitimate concerns related to security, as in an inherent vulnerability to man in the middle attacks, but if Apple is telling the truth, why all the fuss? As you see above, they will be upgrading to encrypted protocol soon.
As I said, it’s all about trust. Either you trust that Apple is using OCSP and notarization to protect you from apps/binaries that have been revoked or tampered, respectively, you trust that Apple isn’t hiding any PII in the revocation checks, and you trust that Apple isn’t saving IP addresses in their logs ... or you don’t. If you don’t trust Apple, why keep using their stuff? Microsoft, Google, and the Linux world are as eager as Apple to earn your trust, but keep in mind that Microsoft and Google have their own processes in place to handle the same requirements. In Google’s case, it’s a homegrown solution, which should make you feel very very comfortable - or maybe not.
Also note that the “opt-out” option is related to revocation. There is nothing stating that Apple will allow users to “opt-out of all security.” I’d be interested to know why anyone running a connected computer would opt-out of revocation checking, but what the heck, having been personally impacted by the Stuxnet debacle my perspective is different than some other folks.
While your personal definition may vary, the request neither contains parseable personal information by any actual or legal definition given the hash -- and not clear text -- of either the name of the application opening or the developer's name depending on who you listen to, nor a way to tie that hash after the fact to a user or user account, despite claims to the contrary by the original researcher -- and this was clear before Apple's clarification on Sunday night.
There is no "location data" as one poster here claimed beyond an IP sent, no usage information, or anything about what's being done, at all. There has never been any account information of any sort sent, and now we know that even IP addresses have been deleted and won't be retained going forward.
Furthermore, it doesn't qualify as a "leak" since it requires a MITM attack to harvest.
Opinion: The original researcher found low-hanging fruit to generate traffic, and it worked. And, there is a difference between education and whataboutism. Malcolm's choice to discuss ports and the overall transparency of Internet routing and networking is education, as AppleInsider is for everybody of all skill levels, and not just the networking knowledgeable such as yourself.
You are obviously welcome to interpret the news how you see fit, as humans are likely to do based on a number of factors, not the least of which are geography and career paths. However, the researcher calling it the end of privacy and other hyperbole was noise coupled with very little actual signal and no reader education.
If I lived in Hong Kong or North Korea and launched a VPN app then launched Tor browser to access some information deemed as illegal by comrades - and the hash sent in the open can identify the developer or app + my IP is traceable (because of bypassed VPN) - this activity would directly put my life in danger.
"I took the initiative in creating the internet" =/= "I created the internet".
The internet was created. A lot of people and organizations played different parts in its creation. "Took the initiative" is one of those parts, or possibly even a part of one of those parts. In that statement, Al Gore (correctly or not) is claiming credit for that particular part, not the creation of the internet in entirety.
Perhaps then the question is "Well what does 'took the initiative' in that context even mean?" It's arguable that the description by Robert Kahn and Vinton Cerf is a pretty reasonable outline of what it might have meant.
Needless to say... I'm not taking a stand on this matter as to what contributions Al Gore did or didn't make to the internet. I'm merely pointing out that those words Al Gore allegedly said, do NOT mean "I created the internet" by any educated understanding of the English language.
Echelon, Topsail, TIA (Total Information Awareness), TIA (Terroism Information Awareness), PRISM, etc. these programs come, get public awareness, get defunded, just to be resurrected under a different name, to get shut down and defunded, moved to private industry which then must cooperate by means of national security requests that make it even illegal for them to admit or talk about getting such requests, which means they are legally obliged to lie to your face and say they aren’t collecting data for the government.
That said, I don’t see these OCSP requests as troublesome, what is, however SCANDALOUS is the existence of a non-user-modifiable ContentFilterExclusionList.
This is a gaping security hole, and one that allows Apple under “government coercion” to selectively (based on AppleID) install non-blockable spyware on a user’s computer. In Germany the BND is actively pushing the use of Trojans to combat end-to-end encryption, and Apple is holding the door open for them!