MacOS App Security Histrionics ⇥ blog.jacopo.io
For a few hours on Big Sur’s launch day, Apple’s overwhelmed servers prevented a MacOS process called
trustd from quickly verifying signatures using the Online Certificate Status Protocol, or OCSP. This affected many versions of MacOS and manifested as applications taking forever to launch, and some general slowness.
This problem sucked, but it was resolved quickly. I hope a future MacOS update has a patch for whatever bug created this misbehaviour. But, this being the internet, it somehow snowballed into a crisis — MacOS is apparently spying on users, it’s worse in Big Sur, and that means Apple’s new M1 products that run nothing but Big Sur are evil surveillance devices that should not be bought by anyone. Or, at least, that’s what you would think if you read Jeffrey Paul’s article that hit the top of Techmeme and Hacker News:
On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.
It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet.
This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city.
If you read this and thought hey, this doesn’t seem right, you’re not alone. I wanted to know the answers to at least these questions:
Does a request to Apple’s OCSP server include a signature specific to an application?
Does it report this to Apple on every launch?
Why are these requests made over HTTP and not HTTPS?
Are these requests logged remotely and, if so, for how long?
Is this documented anywhere?
Over the past couple of days, I have read dozens of articles about OCSP, monitored
trustd’s network activity for myself, poked around local certificate databases, and generally got a bit obsessive. I cannot recommend this. But the feeling I had last night is that either my research skills are terrible, or Paul fundamentally misunderstands OCSP and what MacOS is doing. To be clear, I am not confident I have a full handle on this topic, either, but I think the most alarming aspects of Paul’s post are incorrect.
The answer to the third question I had — why these requests were made over plain HTTP, instead of HTTPS — materialized quickly. OCSP is a certificate verification protocol. It needs to check the validity of certificates, so if it was signing those requests with an HTTPS certificate, how could it verify that its own request was valid? It is a recursive problem. It is, as best as I can tell, extremely common to make a request like this over plain HTTP.
But that still left me with my questions about the behaviour of MacOS. Apple loudly trumpets its privacy bonafides over its competitors’ practices, so the accusations levelled by Paul would deeply undermine trust and confidence in those statements.
A gut check came today in the form of a fantastic technical explanation from Jacopo Jannone, via John Gruber. This is exactly the kind of article I was looking for:
Capturing a OCSP request is as easy as setting up an HTTP proxy or starting Wireshark. No HTTPS means no encryption, no certificate pinning, no problems whatsoever. I captured the following request while opening Firefox.
I should also add that after closing Firefox and opening it again, no requests were made. This is reasonable, and indicates that certificate checking isn’t performed at each launch but only after it hasn’t been performed for a certain period of time.
It is clear that the
trustdservice on macOS doesn’t send out a hash of the apps you launch. Instead, it just sends information about some certificate — as we would certainly expect after understanding what OCSP is in the first place.
I cannot recommend Jannone’s article highly enough. It is as clear-headed and as easy-to-follow an explanation as you could hope for, given the technical subject matter. It answers my first two questions, both of which are among the more egregious accusations Paul levelled against MacOS’ behaviour.
But Jannone’s research did not appear until two days after Paul’s post, so the bad information in the latter has showed up everywhere. Purism piggybacked on it to sell its “Libre”-branded smartphones and laptops.
Jeff Benson of Decrypt wrote a very long article summarizing Paul’s findings, but until the second-to-last paragraph did not explain that it is an industry standard:
Hardeman implied that Apple is more or less using an industry standard protocol as it’s meant to be used—and that most people benefit from it. However, he called on Apple to fix the bugs that “resulted in all the screaming yesterday.”
I found a post from 2011 on Sophos’ blog chastising Apple for, at the time, leaving OCSP as an option that users were required to switch on.
However, I still do not have answers to questions four and five on my list. I think this is something Apple should be documenting in a format as clear as Jannone’s post. Paul’s article is incendiary but, as it turns out, largely untrue, at least in its most serious accusations.1 The headlines and summaries of this saga make it seem like Apple is practically running a keylogger on every Mac. The sober reality is that MacOS sometimes checks the validity of certificates of all types, something which it has done for years. All these histrionics for something really boring and not, actually, a tool for spying, not even accidentally.
He also relies upon Glenn Greenwald’s mischaracterizing explanation of how the NSA’s PRISM program functions, calling Apple a “partner”, and claims in the original that there is no way to block OCSP requests, something that is easily disproved by the dozens of people who simply added it to their
/etc/hostsfile. That’s probably not a good idea, but it is possible.
Oh, and in his previous post criticizing Twitter’s moderation practices, a couple of his arguments would make @BadSec230Takes proud.
I just think it would have been helpful for all of the outlets that feverishly republished his wild claims to have verified them first, but that’s just me. ↥︎