Update Nov. 15, 7:54PM PST: Apple has clarified the situation to iPhone in Canada and also detailed its privacy protections in macOS and further explained what caused slow loading apps. Our original story is as follows below.
Shortly after the release of macOS 11, Apple’s OCSP server went down for the first time on Thursday, rendering Macs all over the world virtually useless for an entire evening.
In the aftermath of the outage, a Reddit thread citing an essay written by hacker and security researcher Jeffrey Paul has shed light on the gaping holes in privacy left by the Mac manufacturer’s implementation of the Online Certificate Status Protocol (OCSP).
This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city.
Whenever you launch a non-Apple program on your Mac, macOS records the program’s hash (unique identifier) and sends it to Apple’s OCSP server to check if the program’s developer certificate has been revoked. Your Mac won’t launch the program until the OCSP server verifies that the program’s developer certificate is still valid.
And if Apple’s OCSP server is down (like it was on Thursday), your Mac will be unable to verify the certificate of the program you’re trying to open, and not launch the program at all. The situation will persist as long as you’re connected to the internet, since being offline bypasses the certification check.
The cited essay puts forward the idea that this system could potentially be used to prevent users from launching specific programs on their Macs.
A deeper dive into Apple’s certificate authentication practices has also revealed that requests sent to the OCSP server also include the date, time, the device used, the ISP you’re connected to, and the city and state you’re in, making it possible to extrapolate your physical location from the information. And if that wasn’t enough, all of this information is sent as plain text, without being encrypted, and ultimately ends up at a CDN run by Akamai, a third-party.
Some users on the original Reddit thread dismissed the privacy concerns, arguing that the cited essay is nothing but “alarmist speculation”. Others, however, commented on the hypocrisy of a privacy advocate like Apple employing such practices. At the end of the day, consumers need to pick and choose which companies they will trust to protect their data and privacy.
That is not actually correct.
OCSP has nothing to do with application hashes, but with the developer’s certificate.
— Edwin G. (@Ed7789) November 15, 2020
Are you okay with Apple’s implementation here for checking certificates of all third-party apps you open?