OS 11

Posted on
Fri Nov 13, 2020 3:28 pm
jay (support) offline
Site Admin
User avatar
Posts: 16460
Joined: Mar 19, 2008
Location: Austin, Texas

Re: OS 11

Image

Jay (Indigo Support)
Twitter | Facebook | LinkedIn

Posted on
Sun Nov 15, 2020 2:45 am
durosity offline
User avatar
Posts: 4015
Joined: May 10, 2012
Location: Newcastle Upon Tyne, Ye Ol' England.

Re: OS 11

matt (support) wrote:
autolog wrote:

Yikes, it is worse than I realized. I'm shocked they are sending the query unencrypted. It is therefore trivial for ISPs (NSA, etc., too of course) to watch which apps you are launching and when. For a company that claims to be so privacy focused this is a huge misstep.

The way they should have done this feature: have a background task that periodically grabs (via HTTPS) a list of all dev certs that have been rejected. On app launch check the cert against the local cached copy of the list. This removes the privacy concern and prevents a slow server from hanging app launching.



This chap has a somewhat different take on the privacy concerns.

https://blog.jacopo.io/en/post/apple-ocsp/


Sent from my iPhone using Tapatalk Pro

Computer says no.

Posted on
Sun Nov 15, 2020 11:07 am
matt (support) offline
Site Admin
User avatar
Posts: 20243
Joined: Jan 27, 2003
Location: Texas

Re: OS 11

Yep, in summary it looks like the information sent identifies the developer of the app but not the individual app, and that there is at least some caching going on such that requests are not made every time an app is launched within some time window.

So it isn't as bad as originally thought, however there is still no excuse for them using HTTP instead of HTTPS IMO.

Image

Posted on
Sun Nov 15, 2020 12:07 pm
FlyingDiver offline
User avatar
Posts: 4669
Joined: Jun 07, 2014
Location: Southwest Florida, USA

Re: OS 11

matt (support) wrote:
So it isn't as bad as originally thought, however there is still no excuse for them using HTTP instead of HTTPS IMO.


One article I read speculated that they didn't want to get in a recursion situation needing to verify the SSL certificate while they were validating the developer's certificate. Who knows?

joe (aka FlyingDiver)
my plugins: http://forums.indigodomo.com/viewforum.php?f=177

Who is online

Users browsing this forum: No registered users and 1 guest