Apple's OCSP Service and privacy concerns

(Developer certificate verification - per developer not per app, and not per app launch).


In case (somehow) you missed it, Apple recently released the newest version of mac OS, named "Big Sur." And on the day/night of its release, Apple made some changes that impacted their OCSP service, causing applications to take extremely long to launch (only if they weren't running already), or seem to fail to launch at all.

While the impact was (of course) lamentable at best and understandably infuriating, let's do more to further our understanding of what happened and why.

Rather than reiterate all of the important details involved, we recommend that you please read the following recommended (and excellent) posts/articles, the first which is the following:
Ars Technica: macos-big-sur-launch-appears-to-cause-temporary-slowdown-in-even-non-big-sur-macs

This led to some unfortunate histrionics and hyperbole about what Apple's OCSP service is, what it does and why. Including ill-founded claims that Apple "logs every app that you launch." That's simply not true.

The next suggested article is this one,
https://blog.jacopo.io/en/post/apple-ocsp/

with a nicely-provided "TL/DR":

  • No, macOS does not send Apple a hash of your apps each time you run them.

  • You should be aware that macOS might transmit some opaque information about the developer certificate of the apps you run. This information is sent out in clear text on your network.

  • You shouldn’t probably block ocsp.apple.com with Little Snitch or in your hosts file.


Published November 17, 2020 by David Haines,

coresolutiongroup.com

(413) 584-5115