How did it all start?
This story started back on November 12, when a huge number of Mac users reported
Basically, if your Mac is connected to the Internet,The gatekeeper will check if it is safe to run any software. Let's say you click the Launch button in Photoshop and your computer pings to the Apple server to make sure Adobe still has a valid developer certificate. This process is usually fast and invisible to users, except that the number of people upgrading to macOS Big Sur overwhelmed the system and slowed it down.
Researchers interested in a causeslowdowns, began to analyze the data that their computers were sending to Apple's servers. They claimed that the operating system sent the details of what you were using in plain text to Apple HQ, which naturally caused a lot of dread. Such claims were denied by researcher Jacopo Iannone, who explained that the OCSP protocol, or Online Certificate Status Protocol, does not work that way.
"Your computer is no longer yours"
A blog post entitled “Your computernot yours, ”security researcher Jeffrey Paula said Apple collects a hash (unique identifier) of every program launched by a Mac user along with their IP address over an unencrypted connection. The end result, Paul wrote, is that anyone using a modern version of macOS cannot do this without "transferring and saving a log of [their] activity."
“In modern versions of macOS, you simplyYou can't turn on your computer, launch a word processor or e-book reader, and write or read without transferring and saving a log of your activities,” said Jeffrey Paul.
Since Mac conducts operations over the network, the serverof course, it sees your IP address and knows what time the request came in. The IP address allows for rough geolocation at the city level and at the ISP level, says a security expert
“This means Apple knows when you're at home. When you're at work. Which apps do you open and how often. They know when you open Premiere at a friend's house on their Wi-Fi, and they know when you open Tor Browser at a hotel on a trip to another city. ”
And it's not just about Apple. This information goes further, the expert emphasizes:
- OCSP requests are sent unencrypted;
- Since October 2012, Apple has been a partnerUS military intelligence in the PRISM spy program, which gives federal police and the US military unfettered access to this data without a warrant when they ask for it. This happened more than 18,000 times in the first half of 2019, and another 17,500 times in the second half of 2019;
- This data makes up a huge amount of dataabout your life and habits and allow someone who owns them to identify your movements and patterns of activity. For some people, it may even pose a physical hazard.
As Jeffrey Paul points out, until last week there wasIt is possible to block Mac data collection using a program called Little Snitch. The released version of macOS 11.0, also known as Big Sur, has new APIs that prevent Little Snitch from working in the same way. The new APIs prevent Little Snitch from inspecting or blocking any OS level processes. Additionally, new rules in macOS 11 make it difficult for VPNs to work, so Apple apps simply bypass them.
Isn't it all bad?
However, not everyone agreed with Jeffrey Paul's analysis.A blog post by cybersecurity student Jacopo Iannone notes that the data sent to Apple's OCSP server contains information related to the app developer, but not the app itself. He adds that Apple's Gatekeeper service can send a hash of the executable, but separately from OCSP and over an encrypted connection. Apple's own support page notes that Gatekeeper uses an "encrypted connection that is resilient to server failures."
How did Apple react?
Apple was forced to clarify howits Gatekeeper anti-malware platform is running after security researchers suggested the system violated privacy. The company, as noted by 9to5Mac,
Apple spokesman tells iPhone in CanadaBlog that the company has updated supporting documentation to explain that the system does not track what its users do. At the same time, Apple said it will change how Gatekeeper works in the future to further minimize future risks.
"Gatekeeper performs online checks to ensurecheck whether the app contains known malware and whether the developer signing certificate has been revoked,” Apple explains. “We have never combined data from these scans with information about Apple users or their devices. We do not use data from these scans to learn what individual users are running or running on their devices,” the company explained.
In addition to this, Apple says that "over the next year we will make several changes to our security checks," namely:
- a new encrypted protocol for checking the revocation of a Developer ID certificate;
- reliable protection against server failure;
- a new preference for users to opt out of these protections.
Apple also provided iPhone in Canada Blogadditional technical information about the situation. Certificate revocation checks are performed to ensure that the Developer ID certificates used to sign the application have not been revoked by the company. This step is critical to security as the certificate can be retrieved if the developer suspects it has been compromised by third parties or is being used to sign malicious applications.
MacOS uses an industry standard protocolCertificate Status (OCSP) to verify that the developer code signing certificate issued to the application developer has not been revoked. This OCSP request does not include the user's Apple ID and does not expose the device or application being launched.
Apple noted that since OCSPused to validate other certificates, including those used for encrypted web connections, these requests are made over unencrypted HTTP, as is common throughout the industry.
HTTP is used to prevent situations,when validating a certificate that secures a connection to an OCSP server could potentially depend on the outcome of a request to the same OCSP server, creating a loop that would make it impossible to resolve the request, according to Apple.
Apple says macOS Catalina and aboveIn later versions, by default, all running applications are notarized by the company to note that they have been checked by Apple for known malicious software. When an app is launched, macOS checks to see if the app has been flagged as malicious by Apple since it was first notarized. These checks happen over an encrypted connection and are robust against server crashes. This is exactly what happened the other day, and users saw that their applications freeze and run indefinitely.
What caused the problem with the OCSP server?
Apple claims this was due toa server-side misconfiguration that specifically prevented macOS from being able to cache OCSP responses for the developer ID. This configuration error, along with misconfiguration of the unrelated content delivery network (CDN), is the cause of poor application performance at startup.
Apple explained to the iPhone in Canada that alreadyfixed this performance issue with a server-side update that will now allow macOS to cache developer ID OCSP checks for a longer period. MacOS users don't need to do anything to take advantage of this Apple update.
Application notarial checks are used toconfirmation that applications running on macOS have not been deemed malicious by Apple since they were first notarized. Apple says these checks happen over an encrypted connection and are immune to server crashes. Notarial checks were not affected by a server side issue that prevented OCSP requests from being executed.
Read also
The Doomsday glacier turned out to be more dangerous than scientists thought. We tell the main thing
Hyperloop reaches a speed of 1019 km / h
The algorithm generated 3 thousand new Pokemon