Mac Big Sur slow download/failed blunder and OCSP logs

Topic

New Reply

[Alex5723]

Apple’s blunder with Mac Big Sur slow downloads and many Macs that couldn’t launch apps, unless offline, brought to light Apple’s OCSP logging (telemetry) logs.
OCSP sends to Apple logs every time MacOS is started, every time an app is launched…
The data send contains : Date, Time, Computer, ISP, City, State, Application Hash and is unencrypted

It seems that OCSP started with Catalina (and maybe Mojave). OCSP can’t be blocked in Big Sur, not by Firewalls, not by VPN, not by Little Snitch…

More at : https://sneak.berlin/20201112/your-computer-isnt-yours/

• This topic was modified 4 years, 7 months ago by Alex5723.

2 users thanked author for this post.

DrBonzo, Nathan Parker

Reply | Quote

Replies

I’m sticking with mojave, then I’ll move to catalina, big slur is way off

4 users thanked author for this post.

DrBonzo, Nathan Parker, bassmanzam, OscarCP

Reply | Quote

This is supposed to have affected also the “Intel” Macs running Catalina and earlier versions of macOS. However, I have been using my “Intel” Mac every single day for the last several days, including today so far, being a lot of the time online, and have not noticed any problems. Perhaps this OCSP-related problem lasted only a few hours when I was sleeping, because it all happened during the night in my US Eastern Standard Time zone?

Here is some more information on this (maybe) alarming issue. Also some to and fro discussion on whether Apple is improperly snooping on people and putting their personal information in danger by sending certain file hashes and other information unencrypted (on the lack of encryption, I have not find corroborating information of what it says in the article linked by Alex, all I know is that with OCSP encryption is optional, so the real question is whether Apple has chosen to use it or not):

https://www.theverge.com/2020/11/12/21563092/apple-mac-apps-load-slow-big-sur-downloads-outage-down-issues

This includes this “might work solution”:

“Hey Apple users:

If you’re now experiencing hangs launching apps on the Mac, I figured out the problem using Little Snitch.

It’s trusted connecting to http://ocsp.apple.com

Denying that connection fixes it, because OCSP is a soft failure.

(Disconnect internet also fixes.)

Ehsan Kia”

Some people are complaining about Windows spying while others are answering “not, really”:

https://www.iphoneincanada.ca/news/privacy-concerns-emerge-following-apple-ocsp-server-outage/

Commenter 1: “A deeper dive into Apple’s certificate authentication practices has also revealed that requests sent to the OCSP server also include the date, time, the device used, the ISP you’re connected to, and the city and state you’re in, making it possible to extrapolate your physical location from the information.Right down to the city. That’s not very specific.”

Commenter 2: “As for the rest, that’s how OCSP works for everyone. It helps makes things more secure. This isn’t a “treasure trove of info”. At best, they know what apps someone in your city is using, but not who, where, or what they are doing.

Contrast that with systems that are actually designs to harvest and collate much greater amounts and more specific data about everyone. Their actual location, down to a few meters, their movements, the contents of the communications, their actual activities within apps instead of just the fact the app is running, personal interactions, shopping details and spending habits, names, numbers, family, friends, visitors, work, call history, viewing habits, etc, etc, etc. ”

What is OCSP? An explanation here”

https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

Also look at the Comments in the Verge article.

For example:
“Posted on Nov 13, 2020 | 12:04 AM
Paul_M

[A previous comment from someone else] “This proves Apple is phoning back the hash of every single app you open.”

“Not it doesn’t. Gatekeeper doesn’t check the hash of every app you open every time you open them. It checks files that are quarantined (for instance stuff you downloaded) before you run them. If the check pass, the code isn’t checked again unless it changes. People that had issues during this outage were probably downloading updates for their apps after the Big Sur update, which triggered new GateKeeper checks (that failed due to the outage).
Besides, I don’t think there is any reason to believe, or any proof, that any personal information is shared with Apple during a Gatekeeper check.

Admittedly, none of this is great and it is indeed a big deal. It’s never great for a company like Apple to suffer from such an outage. It’s also fair to think Apple’s policies over what you can or cannot run on macOS are overprotective and too restrictive. I’m not disputing that. But to claim there is an underlying privacy scandal behind it is just false”.

Apple’s OCSP-related problem is further described here:

https://arstechnica.com/gadgets/2020/11/macos-big-sur-launch-appears-to-cause-temporary-slowdown-in-even-non-big-sur-macs/

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

DrBonzo, Nathan Parker

Reply | Quote

Little Snitch can block the connection, which would have been helpful when I had the issue this week, although alas, I already moved onto NetBarrier (which probably could have blocked the connection as well).

To make matters worse, the issue had to occur 10 minutes before a live class when I needed to open Zoom. It finally launched, but it wasn’t fun.

Nathan Parker

3 users thanked author for this post.

Alex5723, OscarCP, DrBonzo

Reply | Quote

More details on how Little Snitch can block the server issue if it occurs again: https://appleinsider.com/articles/20/11/12/apple-system-issue-causing-app-install-runtime-problems

Nathan Parker

2 users thanked author for this post.

OscarCP, DrBonzo

Reply | Quote

Nathan Parker wrote:

how Little Snitch can block the server issue if it occurs again

As the author wrote, Little Snitch doesn’t block servers in Big Sur.

The version of macOS that was released today, 11.0, also known as Big Sur, has new APIs that prevent Little Snitch from working the same way. The new APIs don’t permit Little Snitch to inspect or block any OS level processes. Additionally, the new rules in macOS 11 even hobble VPNs so that Apple apps will simply bypass them.

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Lovely. Seems Big Sur has locked down a few more things.

Nathan Parker

Reply | Quote

Don’t want big slur yet, the Terminal and a loopback is your friend

sudo vi /etc/hosts

127.0.0.1 ocsp.apple.com

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Not related to Big Sur and is more of a temporary hiccup with Apple’s servers. Apps that were already open during the time of the outage were unaffected. On that day I noticed that my Paintbrush app was taking an unusually long time to start up when opened.

1 user thanked author for this post.

Nathan Parker

Reply | Quote

[Alex5723]

Apple responding to Jeffrey Paul’s concern with new document : Safely open apps on your Mac

..
Privacy protections

macOS has been designed to keep users and their data safe while respecting their privacy.

Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.

Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.

These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.

In addition, over the the next year we will introduce several changes to our security checks:

A new encrypted protocol for Developer ID certificate revocation checks
Strong protections against server failure
A new preference for users to opt out of these security protections

• This reply was modified 4 years, 7 months ago by Alex5723.

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Does Apple really log every app you run? A technical look

Apple’s launch of macOS Big Sur was almost immediately followed by server issues which prevented users from running third-party apps on their computers. While a workaround was soon found by people on Twitter, others raised some privacy concerns related to that issue……What is OCSP?
OCSP stands for Online Certificate Status Protocol1. As the name implies, it is used to verify the validity of a certificate without having to download and scan large certificate revocation lists. macOS uses OCSP to make sure that the developer certificate hasn’t been revoked before an app is launched.

As Jeff Johnson explains in his tweet above, if macOS cannot reach Apple’s OCSP responder it skips the check and launches the app anyway – it is basically a fail-open behaviour. The problem is that Apple’s responder didn’t go down; it was reachable but became extremely slow, and this prevented the soft failure from triggering and giving up the check.

It is clear that this mechanism requires macOS to contact Apple before an app is launched. The sudden public awareness of this fact, brought about by Apple’s issues, raised some privacy concerns and a post from security researcher Jeffrey Paul2 became very popular on Twitter. He claims that

In the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it.

That would be creepy indeed…….

No, macOS does not send Apple a hash of your apps each time you run them.

You shouldn’t probably block ocsp.apple.com with Little Snitch or in your hosts file.

1 user thanked author for this post.

Nathan Parker

Reply | Quote

I’m fine with Apple doing it (I know it’s a security mechanism, and I overall trust Apple on privacy), and I wouldn’t block OCSP for daily use. The only time I’d consider blocking it is if another issue such as this occurs, and I need immediate access to an app launching, on which I’d temporarily block it then re-enable it afterward. In that case, I’d probably have a backup way to launch the app anyway on an iPad or another Mac running an older OS.

Nathan Parker

2 users thanked author for this post.

OscarCP, Alex5723

Reply | Quote

If you can’t install macOS Big Sur on certain 13-inch MacBook Pro computers from 2013 and 2014

Follow these steps if you can’t install macOS Big Sur on a MacBook Pro (Retina, 13-inch, Late 2013) or MacBook Pro (Retina, 13-inch, Mid 2014).

When you install macOS Big Sur on these Mac models, the installer might say that the update cannot be installed on this computer, or your Mac might start up to a blank screen or circle with a line through it .

If your Mac no longer starts up successfully, these steps might help resolve the issue:

Press and hold the power button on your Mac for at least 10 seconds, then release. If your Mac is on, it turns off.
Unplug all external devices from your Mac, including any displays and USB accessories, and remove any card inserted in the SDXC card slot. Then turn your Mac on.
If the issue persists, reset the SMC as described for notebook computers with a nonremovable battery.
If the issue persists, reset NVRAM or PRAM.

1 user thanked author for this post.

Nathan Parker

Reply | Quote