Mac certificate check stokes fears that Apple logs every app you run
Last Thursday afternoon, Mac users everywhere began complaining of a crippling slowdown when opening apps. The cause: online certificate checks Apple performs each time a user opens an app not downloaded from the App Store. The mass upgrade to Big Sur, it seems, caused the Apple servers responsible for these checks to slow to a crawl.
Apple quickly fixed the slowdown, but concerns about paralyzed Macs were soon replaced by an even bigger worry—the vast amount of personal data Apple, and possibly others, can glean from Macs performing certificate checks each time a user opens an app that didn’t come from the App Store.
For people who understood what was happening behind the scenes, there was little reason to view the certificate checks as a privacy grab. Just to be sure, though, Apple on Monday published a support article that should quell any lingering worries. More about that later—first, let’s back up and provide some background.
Meet OCSP
Before Apple allows an app into the App Store, it must first pass a review that vets its security. Users can configure the macOS feature known as Gatekeeper to allow only these approved apps, or they can choose a setting that also allows the installation of third-party apps, as long as these apps are signed with a developer certificate issued by Apple. To make sure the certificate hasn’t been revoked, macOS uses OCSP—short for the industry standard Online Certificate Status Protocol—to check its validity.
Checking the validity of a certificate—any certificate—authenticating a website or piece of software sounds simple enough, but it has long presented problems industrywide that aren’t easy to solve. The initial means was use of certificate revocation lists, but as the lists grew, their size prevented them from working effectively. CRL gave way to OCSP, which performed the check on remote servers.
OCSP, it turned out, had its own drawbacks. Servers sometimes go down, and when they do, OCSP server outages have the potential to paralyze millions of people trying to do things like visit sites, install apps, and check email. To guard against this hazard, OCSP defaults to what’s called a “soft fail.” Rather than block the website or software that’s being checked, OCSP will act as if the certificate is valid in the event that the server doesn’t respond.
Somehow, the mass number of people upgrading to Big Sur on Thursday seems to have caused the servers at ocsp.apple.com to become overloaded but not fall over completely. The server couldn’t provide the all clear, but it also didn’t return an error that would trigger the soft fail. The result was huge numbers of Mac users left in limbo.
Apple fixed the problem with the availability of ocsp.apple.com, presumably by adding more server capacity. Normally, that would have been the end of the issue, but it wasn’t. Soon, social media was awash in claims that the macOS app-vetting process was turning Apple into a Big Brother that was tracking the time and location whenever users open or reopen any app not downloaded from the App Store.
Paranoia strikes deep
The post Your Computer Isn’t Yours was one of the catalysts for the mass concern. It noted that the simple HTML get-requests performed by OCSP were unencrypted. That meant that not only was Apple able to build profiles based on our minute-by-minute Mac usage, but so could ISPs or anyone else who could view traffic passing over the network. (To prevent falling into an infinite authentication loop, virtually all OCSP traffic is unencrypted, although responses are digitally signed.)
Fortunately, less alarmist posts like this one provided more helpful background. The hashes being transmitted weren’t unique to the app itself but rather the Apple-issued developer certificate. That still allowed people to infer when an app such as Tor, Signal, Firefox, or Thunderbird was being used, but it was still less granular than many people first assumed.
The larger point was that, in most respects, the data collection by ocsp.apple.com wasn’t much different from the information that already gets transmitted in real time through OCSP every time we visit a website. To be sure, there are some differences. Apple sees OCSP requests for all Mac apps not downloaded from the App Store, which presumably is a huge number. OCSP requests for other digitally signed software goes to hundreds or thousands of different certificate authorities, and they generally get sent only when the app is being installed.
In short, though, the takeaway was the same: the potential loss of privacy from OCSP is a trade-off we make in an effort to check the validity of the certificate authenticating a website we want to visit or a piece of software we want to install.
Apple speaks
In an attempt to further assure Mac users, Apple on Monday published this post. It explains what the company does and doesn’t do with the information collected through Gatekeeper and a separate feature known as notarization, which checks the security even of non-App Store apps. The post states:
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.
These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
The post went on to say that in the next year, Apple will provide a new protocol to check if developer certificates have been revoked, provide “strong protections against server failure,” and present a new OS setting for users who want to opt out of all of this.
The controversy over behavior that macOS has been doing since at least the Catalina version was introduced last October underscores the tradeoff that sometimes occurs between security and privacy. Gatekeeper is designed to make it easy for less experienced users to steer clear of apps that are known to be malicious. To make use of Gatekeeper, users have to send a certain amount of information to Apple.
Not that Apple is completely without fault. For one thing, developers haven’t provided an easy way to opt out of OCSP checks. That has made blocking access to ocsp.apple.com the only way to do that, and for less experienced Mac users, that’s too hard.
The other mistake is relying on OCSP at all. Because of its soft fail design, the protection can be overridden, in some cases purposely by an attacker or simply due to a network failure. Apple, however, is hardly alone in its reliance on OCSP. A revocation method known as CRLite may ultimately provide a solution to this failing.
People who don’t trust OCSP checks for Mac apps can turn them off by editing the Mac hosts file. Everyone else can move along.
https://arstechnica.com/?p=1723572