[3gg]

The article goes over the horrors of X.509, pulls the typical open source cliche that I actually don't see anybody spreading around, contrary to the article's claim, then argues that the privacy part is fine so long as there is a third-party audit. If the best thing the security community can do is install a global mass surveillance network of devices that come at every expense of users' computing freedoms, then I think these guys need to go back to the drawing board.

[qz2]

It's not even that. This is a distraction from the real issue which is this technology exists not to improve the security posture but to enforce market control.

So go back a few weeks and you buy a copy of Fortnite, Apple and Epic lock horns on a dispute and they revoke Epic's certificate. Next thing you get a shiny new M1 equipped Mac and go to install it and it's gone from the app store. Slightly deflated, you go back to your Mac and copy the files off it onto your new one, thinking you circumvented this slyly, it does an OCSP check and refuses to run the binary. Eventually the OCSP check will be done, probably after an OS upgrade on your old Mac and that's gone too. So you're deprived of something you paid for and have no control over the hardware you paid for.

This is an example of what could happen.

If it improved security posture the signing infrastructure wouldn't be used to sign any old shit from millions of developers doing all sorts of nefarious things that Apple didn't pick up during the review process...

Edit: this has already been demonstrated if you refer to the Flappy Bird mess a few years back.

[3gg]

Yes, thanks for the reply. I was giving the author the benefit of the doubt, but their arguments just have no solid grounds. And like you said, this is about market control, not security, the latter just being a distraction.

Another thing in line with what you mentioned is the ability for the company to squash competition. Not only do they have the last word to veto programs from running, they also get a global view of what everyone is running that nobody else has. This kind of information has been abused by Amazon to drive out competition in favour of their own "Amazon essentials" products, for example.

[nmlnn]

Yeah, if looked at in the larger context of them booting iOS apps from the app store that don't pay the 30% Apple tax for any in app payment - it's clear where they're going. It's just a boil the frog slowly strategy of making every major OS update more restrictive and trying to placate (with amazing hardware) those who complain.

Personally I drew the line at Catalina, and I think an order of magnitude more will draw the line at Big Sur.

[zepto]

It’s about security:

https://www.zdnet.com/article/apple-update-kills-off-zoom-we...

As for Epic. They lied about the content of the software they uploaded to the store, and knowingly breached a contract they had signed. If that isn’t fraud, I don’t know what is.

They could have sued Apple without the fraud. The certificate revocation was only about the fraudulent software update.

[qz2]

Yes Epic are bastards too. And Zoom. In fact these days it's wall to wall bastards.

But the end user doesn't care. They bought something and they want to keep it and use it. And that's where the buck stops.

[tuatoru]

> these days it's wall to wall bastards.

Sometimes I really wish I owned a T-shirt printing business. Thanks!

[hyper_reality]

Agreed, and furthermore the article calls the privacy arguments "far-fetched" and "dogwhistles", while only tackling a strawman version of the other side's view. The article doesn't for instance investigate the fact that the OCSP requests go over port 80 (i.e. unencrypted HTTP), or discuss the reliability issues that come into play when everyone's computers depend on a single service to have 100% uptime.

Finally, I think the writer should be more careful with their use of the term "dogwhistle". It's a politically-loaded term that isn't used correctly in this piece.