hngopher.com

       [HN Gopher] Apple Reneged on OCSP Privacy
       ___________________________________________________________________
        
       Apple Reneged on OCSP Privacy
        
       Author : bangonkeyboard
       Score  : 88 points
       Date   : 2022-06-16 20:02 UTC (2 hours ago)
        
 (HTM) web link (mjtsai.com)
 (TXT) w3m dump (mjtsai.com)
        
       | OrvalWintermute wrote:
       | Is the only way to mitigate this to jailbreak the device, edit
       | the /etc/hosts to remap the DNS and point it at your own OCSP
       | caching similar to what is done for airgaps and ICS/SCADA, or
       | could you do this through 3rd party DNS apps, or an iOS VPN
       | profile?
        
         | saagarjha wrote:
         | This is for macOS.
        
       | cglong wrote:
       | Most of this is a quote taken from
       | https://lapcatsoftware.com/articles/ocsp-privacy.html
        
       | sneak wrote:
       | As the one who originally publicized the fact that Apple was
       | leaking users' app launch data like this, I was surprised that
       | they even committed to fixing it.
       | 
       | I was doubly surprised when they failed to follow through; it is
       | unlike Apple to lie.
       | 
       | Note also that the link to my site in the first part of TFA is to
       | the wrong article; the OCSP issue is related to app launches
       | ("Your Computer Isn't Yours"), not the fact that each Mx macOS
       | update phones home a) in plaintext and b) with hardware unique
       | identifiers (your ARM's ECID) on every single OS update (this is
       | TSS, not OCSP).
       | 
       | Different types of bad plaintext phone home. Apple uses at least
       | 2. :)
        
         | lapcat wrote:
         | > each Mx macOS update phones home a) in plaintext and b) with
         | hardware unique identifiers (your ARM's ECID) on every single
         | OS update
         | 
         | Question about this article: At what point exactly during the
         | update process does this happen?
         | 
         | As a workaround, could one do softwareupdate --download from
         | Terminal, turn off your internet connection, and then do
         | softwareupdate --install?
        
       | post_break wrote:
       | Little Snitch is still one of the most powerful apps I run. I
       | wish I could run it on my iPhone. When the OCSP thing went down I
       | was livid. This still pisses me off.
        
       | wfhordie wrote:
       | Does Apple offer "offline" versions of their updates in DMG form?
        
         | [deleted]
        
         | my123 wrote:
         | > Does Apple offer "offline" versions of their updates in DMG
         | form?
         | 
         | .app bundles, but only full updates not deltas.
         | 
         | When using Reduced Security instead of Full Security, online
         | verification through TSS isn't necessary to install/update an
         | OS.
        
         | samtheprogram wrote:
         | Since High Sierra (released 2017), their documentation points
         | to the App Store installer links instead of to DMGs [1]. It's
         | still possible to create a DMG installer for newer versions
         | using createinstallmedia on the command line after downloading
         | the installer to a Mac.
         | 
         | [1]: https://support.apple.com/en-us/HT211683
        
       | nixpulvis wrote:
       | Anyone want to make Apple Butter? Please send help.
        
       ___________________________________________________________________
       (page generated 2022-06-16 23:00 UTC)