1. 9
  1.  

  2. 3

    Someone wrote up a nice article on this behavior: https://sneak.berlin/20201112/your-computer-isnt-yours/

    In general, Apple’s responses have been well-worded. Perhaps Apple doesn’t use this information, but maybe someone else does, or else, why collect it?

    The troubling part of this is that the latest release, Big Sur, apparently bypasses vpns and local firewalls when transmitting this information. I don’t think Apple has addressed this concern in any public statements yet.

    1. 1

      Notable details from the doc:

      Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.

      Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.

      These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.

      In addition, over the the next year we will introduce several changes to our security checks:

      • A new encrypted protocol for Developer ID certificate revocation checks
      • Strong protections against server failure
      • A new preference for users to opt out of these security protections
      1. 2

        We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices

        It’s nice to hear them state that explicitly, I wonder if people believe it when it comes from Apple.

        1. 1

          I might have misunderstood but I thought people where mostly worried about data collection and MITM attacks given that the ocsp.apple.com requests are made in clear. I don’t believe Apple’s doc actually address those concerns.

          1. 3

            The responses are signed, even in the current version, so a MITM can’t fake them. They can DoS the user, though.

            1. 4

              They might be signed, so they can’t be MITM, but the issue is that all that tracking data is being sent in cleartext.

            2. 1

              A new encrypted protocol for Developer ID certificate revocation checks

              Doesn’t this address it? Or is this about something else?

              1. 2

                Ah, you are right, it does address it… but as a future feature. That means the current implementation is indeed open to the winds.