_N_

Facts:

1. OCSP is not encrypted by default, and the RFC (https://tools.ietf.org/html/rfc6960) states that "where privacy is a requirement, OCSP transactions exchanged using HTTP MAY be protected using either Transport Layer Security/Secure Socket Layer (TLS/SSL) or some other lower-layer protocol."

2. It is reported that Apple does not use encryption for its OCSP requests.

3. The request contains personnal information.

Thus Apple's use of OCSP leaks personnal information on the network.

Opinion:

That other data or metadata is available via other means to ISPs, networks operators, CDNs etc. is of no importance here. The topic is: OCSP leaks information. Why? Is it important? And what should Apple have done about it? Arguing that apps use ports etc. is just whataboutism.

Why does Apple use unsecure OCSP to transfer personnal data/metadata? Because it is their technical choice.

Is it important? As the RFC states, it depends on the "privacy requirement". For everyday mac users, maybe not, but that's not enough to disqualify the original blog post security issues as too far fetched. Especially when Apple is marketing its devices on the promise of data privacy. That marketing targets users who's "privacy requirements" are obviously high from the beginning.

What should Apple have done about it? Encrypt the metadata. Inform the users. Let the users disable the feature as a security compromise of their own choosing after warning them of what comes with the decision.

Because the article fails to explains the simple facts, and points the finger to other issues that are not the subject discussed, its conclusion is lacking objectivity. There is something to be said of Apple, a company that usually pushes the boundaries when it comes to standards and RFCs, when they implement a solution in an unsecure way. Be it only to remind everyone that marketing is marketing, and security is engineering.