Hacker News new | ask | show | jobs
by sneak 1879 days ago
> Despite there being a way to turn it off.

There isn't; the OCSP checks happen on launch automatically.

I got Apple to encrypt it next year and delete their logs, though, thanks in part to the publicity afforded by HN to my yelling about it. They also committed to adding an off switch.

Hopefully they'll do it in a clever, privacy-preserving way using a bloom filter or something, instead of just sending the developer cert hash up to Apple as soon as you double-click an app.
1 comments
GekkePrutser 1879 days ago
Well by turning it off I mean blocking ocsp.apple.com in my firewall. I do this personally, not at work by the way. But yes they should really provide a way to properly turn it off in the OS itself.

By the way another issue I have with the developer cert thing is that this way they will block all your apps if they have an issue with just one thing you've uploaded. And we all know Apple tends to blur the line between plain old malware and "against our T&C/Commercial interests". They already have a say in what apps I can use on my iPad. Like the ban on emulators, etc. It's my device, it should be a recommendation at most.. This is why I fear they are moving Mac in this direction as well.

PS: I didn't realise you were the one who raised this issue a couple months ago. Thanks for your work!!

link
sneak 1879 days ago
There are a lot of other host names that need blocking, too, pancake.apple.com and xp.apple.com and *.push.apple.com among them

The amount of spyware in macOS these days is absolutely astounding:

https://sneak.berlin/20210202/macos-11.2-network-privacy/

link
GekkePrutser 1879 days ago
Thanks, again something I wasn't aware of. The problem with the push one is that blocking it will also block some legitimate stuff unfortunately :(

I'll keep an eye on your blog! Excellent info.

link
sneak 1878 days ago
Like what?
link
GekkePrutser 1878 days ago
Well, push messages :)

The problem is, if the Mac can't reach APNS, it won't get informed when there's update to things like MDM profiles. If I push a new MDM profile it happens immediately on a Mac that receives push notifications. On a Mac that doesn't, it can take more than a day!

This is something I'm fighting with our network team about because they're not allowing that traffic right now. Understandable, but for proper management it's necessary to make changes quickly sometimes when a user needs to get an exception applied. It's also necessary for things like iMessage but we don't allow that in work anyway (at least not for work purposes)

We're running an internal proxy but APNS doesn't work through a proxy, they need to make an exception for it so it can go out direct.

link