[HN Gopher] Apple Reneged on OCSP Privacy ___________________________________________________________________ Apple Reneged on OCSP Privacy Author : bangonkeyboard Score : 88 points Date : 2022-06-16 20:02 UTC (2 hours ago) (HTM) web link (mjtsai.com) (TXT) w3m dump (mjtsai.com) | OrvalWintermute wrote: | Is the only way to mitigate this to jailbreak the device, edit | the /etc/hosts to remap the DNS and point it at your own OCSP | caching similar to what is done for airgaps and ICS/SCADA, or | could you do this through 3rd party DNS apps, or an iOS VPN | profile? | saagarjha wrote: | This is for macOS. | cglong wrote: | Most of this is a quote taken from | https://lapcatsoftware.com/articles/ocsp-privacy.html | sneak wrote: | As the one who originally publicized the fact that Apple was | leaking users' app launch data like this, I was surprised that | they even committed to fixing it. | | I was doubly surprised when they failed to follow through; it is | unlike Apple to lie. | | Note also that the link to my site in the first part of TFA is to | the wrong article; the OCSP issue is related to app launches | ("Your Computer Isn't Yours"), not the fact that each Mx macOS | update phones home a) in plaintext and b) with hardware unique | identifiers (your ARM's ECID) on every single OS update (this is | TSS, not OCSP). | | Different types of bad plaintext phone home. Apple uses at least | 2. :) | lapcat wrote: | > each Mx macOS update phones home a) in plaintext and b) with | hardware unique identifiers (your ARM's ECID) on every single | OS update | | Question about this article: At what point exactly during the | update process does this happen? | | As a workaround, could one do softwareupdate --download from | Terminal, turn off your internet connection, and then do | softwareupdate --install? | post_break wrote: | Little Snitch is still one of the most powerful apps I run. I | wish I could run it on my iPhone. When the OCSP thing went down I | was livid. This still pisses me off. | wfhordie wrote: | Does Apple offer "offline" versions of their updates in DMG form? | [deleted] | my123 wrote: | > Does Apple offer "offline" versions of their updates in DMG | form? | | .app bundles, but only full updates not deltas. | | When using Reduced Security instead of Full Security, online | verification through TSS isn't necessary to install/update an | OS. | samtheprogram wrote: | Since High Sierra (released 2017), their documentation points | to the App Store installer links instead of to DMGs [1]. It's | still possible to create a DMG installer for newer versions | using createinstallmedia on the command line after downloading | the installer to a Mac. | | [1]: https://support.apple.com/en-us/HT211683 | nixpulvis wrote: | Anyone want to make Apple Butter? Please send help. ___________________________________________________________________ (page generated 2022-06-16 23:00 UTC)