Last Thursday afternoon, Mac users everywhere began complaining about a crippling lag when opening apps. The cause: Online certificate checks that Apple performs every time a user opens an app that wasn’t downloaded from the App Store. The massive upgrade to Big Sur, it seems, caused the Apple servers responsible for these checks to slow down.
Apple quickly fixed the delay, but concerns about crippled Macs soon gave way to an even bigger concern: the vast amount of personal data that Apple, and possibly others, could collect from Macs that run certificate checks every time a user opens an app that doesn’t. did. come from the App Store.
For people who understood what went on behind the scenes, there was little reason to see the certificate checks as a privacy grab. But just to be on the safe side, Apple published a support article on Monday that should allay any lingering concerns. More on that later. Let’s back up first and give some background.
Get to know OCSP
Before Apple allows an app on the App Store, it must first pass a review that checks its safety. Users can configure the macOS Gatekeeper feature to allow only these approved apps, or they can choose a setting that also allows the installation of third-party apps, as long as those apps are signed with an Apple-issued developer certificate. To make sure the certificate has not been revoked, macOS uses OCSP, short for the industry-standard Online Certificate Status Protocol, to check its validity.
Checking the validity of a certificate – any certificate – authenticating a website or piece of software sounds simple enough, but it has long created problems throughout the industry that are not easy to solve. The first was to use certificate revocation lists, but as the size of the lists grew, their size prevented them from working effectively. CRL gave way to OCSP, which controlled remote servers.
OCSP, it turned out, had its own drawbacks. Servers sometimes go down, and when they do, OCSP server outages can paralyze millions of people trying to do things like visit sites, install apps, and check email. To protect itself against this danger, OCSP uses a so-called ‘soft fail’ as standard. Instead of blocking the website or software being checked, OCSP will pretend the certificate is valid in case the server is not responding.
Somehow, the massive number of people upgrading to Big Sur on Thursday seems to have caused the servers at ocsp.apple.com to become overloaded but not crash completely. The server failed to clear everything, but it also failed to return an error that would trigger the soft error. As a result, huge numbers of Mac users were left in the dark.
Apple fixed the ocsp.apple.com availability problem, presumably by adding more server capacity. Normally that would have been the end of the problem, but it wasn’t. Soon, social media was flooded with claims that the macOS app checking process turned Apple into a Big Brother that tracked time and location when users opened or reopened an app that wasn’t downloaded from the App Store.
Paranoia runs deep
The Your Computer Isn’t Yours post was one of the catalysts for the mass concern. It noticed that the simple HTML fetch requests executed by OCSP were not encrypted. That meant Apple could not only build profiles based on our minute-by-minute Mac usage, but also ISPs or anyone else who could see the traffic across the network. (To avoid getting into an infinite authentication loop, virtually all OCSP traffic is unencrypted, although responses are digitally signed.)
Fortunately, less alarming posts like this provided more useful background information. The hashes sent were not unique to the app itself, but rather to the developer certificate issued by Apple. This still allowed people to deduce when an app like Tor, Signal, Firefox, or Thunderbird was being used, but it was still less detailed than many people initially thought.
The bigger point was that the data collected by ocsp.apple.com was, in most respects, not much different from the information already sent through OCSP in real time every time we visit a website. To be sure, there are some differences. Apple sees OCSP requests for all Mac apps not downloaded from the App Store, which is presumably a huge number. OCSP requests for other digitally signed software go to hundreds or thousands of different certificate authorities and are generally only sent when the app is installed.
Basically, the takeaway was the same: OCSP’s potential loss of privacy is a tradeoff we make in an effort to verify the validity of the certificate that authenticates a website we want to visit or install a piece of software we want to authenticate.
In an effort to further reassure Mac users, Apple published this message on Monday. It explains what the company does and doesn’t do with the information collected through Gatekeeper and a separate feature known as Notarization, which checks security even of non-App Store apps. The message states:
Gatekeeper performs online checks to verify whether an app contains known malware and whether the developer’s signing certificate has been revoked. We have never combined data from these checks with information about Apple users or their devices. We don’t use the data from these checks to learn what individual users launch or do on their devices.
Notarization checks if the app contains known malware using an encrypted connection that is resistant to server failures.
These security checks never include the user’s Apple ID or device identity. To further protect privacy, we have stopped logging IP addresses associated with developer ID certificate checks and will ensure that all collected IP addresses are removed from logs.
The post went on to say that next year Apple will offer a new protocol to check for developer certificates revoked, provide “strong protection against server failures” and present a new OS setting for users who want to opt out of all of this.
The controversy over the behavior of macOS since at least the Catalina version was introduced last October underlines the trade-off that sometimes occurs between security and privacy. Gatekeeper is designed to make it easy for less experienced users to avoid apps that are known to be malicious. To use Gatekeeper, users must send a certain amount of information to Apple.
Not that Apple is completely flawless. For starters, developers haven’t provided an easy way to opt out of OCSP checks. As a result, blocking access to ocsp.apple.com is the only way to do that, and it’s too difficult for less experienced Mac users.
The other mistake is relying entirely on OCSP. Due to the soft-fail design, protection can be overridden, in some cases intentionally by an attacker or simply due to a network failure. However, Apple is not alone in relying on OCSP. A withdrawal method known as CRLite may eventually provide a solution to this failure.
People who don’t trust OCSP checks for Mac apps can disable them by editing the Mac hosts file. Everyone else can move along.