OS 11

[jay (support)]

More detail on what Jay noted previously: Deeper look at Apple’s recent server outage reveals potential Mac privacy concerns

Yikes, it is worse than I realized. I'm shocked they are sending the query unencrypted. It is therefore trivial for ISPs (NSA, etc., too of course) to watch which apps you are launching and when. For a company that claims to be so privacy focused this is a huge misstep.

The way they should have done this feature: have a background task that periodically grabs (via HTTPS) a list of all dev certs that have been rejected. On app launch check the cert against the local cached copy of the list. This removes the privacy concern and prevents a slow server from hanging app launching.

This chap has a somewhat different take on the privacy concerns.

https://blog.jacopo.io/en/post/apple-ocsp/


Sent from my iPhone using Tapatalk Pro

[matt (support)]

Yep, in summary it looks like the information sent identifies the developer of the app but not the individual app, and that there is at least some caching going on such that requests are not made every time an app is launched within some time window.

So it isn't as bad as originally thought, however there is still no excuse for them using HTTP instead of HTTPS IMO.

So it isn't as bad as originally thought, however there is still no excuse for them using HTTP instead of HTTPS IMO.

One article I read speculated that they didn't want to get in a recursion situation needing to verify the SSL certificate while they were validating the developer's certificate. Who knows?