Apple defends the role of Gatekeeper after users can't open Mac apps:
Last week, Apple released the much-awaited macOS Big Sur update for everyone. While everyone rushed to get a new update, folks who didn't update at that moment faced a peculiar problem: they couldn't open their apps.
It's a frustrating situation when you rely on your computer for work, but can't do anything because a server is messed up. That's right, as developer Jeff Johnson noted, the issue was caused by Apple's Online Certificate Service Protocol (OCSP) server crashed — largely due to many users downloading the new update simultaneously.
The OCSP server is responsible for authenticating digital certificates of all apps — both Apple and third-party. Apple calls this feature Gatekeeper, and the company claims it helps to prevent apps without valid certificates from opening to maintain user security.
It doesn't matter if you've downloaded your app from the App Store or not. So when users were trying to just open their apps, they had to wait for the OCSP server to authenticate the app for them, but they weren't getting any response. The easiest solution was to turn off the internet to launch apps. Apple evidently fixed the problem in a few hours.
[2020-11-19 00:50:34 UTC; Updated to add the following. --martyb]
Ars Technica breaks down OCSP in more detail and also summarizes Apple's response in: Mac certificate check stokes fears that Apple logs every app you run:
In an attempt to further assure Mac users, Apple on Monday published this post. It explains what the company does and doesn’t do with the information collected through Gatekeeper and a separate feature known as notarization, which checks the security even of non-App Store apps. The post states:
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.
These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
The post went on to say that in the next year, Apple will provide a new protocol to check if developer certificates have been revoked, provide “strong protections against server failure,” and present a new OS setting for users who want to opt out of all of this.
(Score: 5, Insightful) by looorg on Thursday November 19 2020, @01:38AM (2 children)
We have never. But we totally could whenever we wanted and there would be no way for you to find out unless someone snitched. So they have no way of actually backing up said statement except the usual "trust us!".
It's not like they are better or worse then all the other tech giants tho. By now I just assume they all do it in some form or another.
"We have stopped logging IP". Right but we have never ever run or combined these multitudes of data we secretly collected on you. Trust us!
Why did they even collect that data in the first place if they don't intend to use it for something? It's not like they just had a few spare server farms doing nothing better.
On some level it sounds more like OCSP and Gatekeeper are there to make sure Apple got their cut from whatever App was sold and is run. If you didn't fork over for the big fancy official developer kit and certificate you are some kind of shady developer.
But next year this will totally never happen again as they have created a new protocol for this. Is the news that it won't fail or that they are going to stop doing sneaky shit behind the users back on their computers?
(Score: 4, Insightful) by crafoo on Thursday November 19 2020, @11:12AM (1 child)
They are lying. If they aren't doing it they are passing the information to someone who is.
(Score: 2) by looorg on Thursday November 19 2020, @01:47PM
It's not like an idea for a system where it might be useful can't be thought of or constructed. If one assume they are not lying bastards and they are infact doing it for the reasons they claim when they logged IP (which we have no way of knowing if they stopped with, after all one can read that sentence in quite a few ways -- they might just have stopped logging IP for certain criteria ("we have stopped logging IP addresses associated with Developer ID certificate checks") but might still be logging if for everything else). So when could it be useful then? I guess if they are indeed checking for malware they might want to know where this malware is located so they can block it or see it spread, perhaps it's a very geographically limited infection etc.
(Score: 5, Insightful) by FatPhil on Thursday November 19 2020, @01:41AM (7 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by looorg on Thursday November 19 2020, @01:50AM (5 children)
One really wonders why there just isn't a small local lookup table that gets fetched or pushed, and stored at, to the user depending on what apps you have or are installed and then perhaps some check vs the main server every now and then.
Sure it's to prevent malware tampering locally or whatever. But then if you can just disable the network connection and get the same effect what good is the online authentication anyway. Malware just has to disable the network, or I guess edit the hostfile to prevent it finding the server, and the whole authentication process becomes pointless? Or?
(Score: 4, Informative) by Runaway1956 on Thursday November 19 2020, @02:33AM (2 children)
Win10 has made it abundantly clear that the hosts file will be bypassed by hard coded addresses in the OS. Typing an IP address into a browser window, for instance, won't be blocked because the browser doesn't ask the OS for an IP lookup. Apple knows enough to hard code IP addresses into it's own spyware.
(Score: 4, Insightful) by darkfeline on Thursday November 19 2020, @04:31AM (1 child)
I suppose it's time for me to say this again, DNS is an application level protocol. Any name resolution provided by standard libraries or OS libraries is merely a convenience and not a network blocking tool.
If you're "blocking" traffic with a hosts file, you're doing it wrong.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Thursday November 19 2020, @08:22AM
Using DNS to prevent spam being send through SMTP*...
* SPF / DKIM
(Score: 2) by helel on Thursday November 19 2020, @02:41AM
So far as I can tell there is a local lookup table. A big part of what brings this to a head now is that in the new version no user process can interfere with the communications to Apple's servers. Great for preventing malware from blocking or redirecting the lookup, not so great if you're trying to minimize bandwidth use while traveling or need to use a vpn for safety.
Assuming we trust Apple's word these online checks are to see if an application's certificate has been revoked since the last update. It lets them disable malware the instant they become aware of it but... Well, here we are.
(Score: 2) by sjames on Thursday November 19 2020, @08:05AM
This is so they can flip the big red switch and make an already signed installed and approved app go poof whenever they want.
(Score: 3, Interesting) by rigrig on Thursday November 19 2020, @09:15AM
OCSP is for checking certificate revokations: it looks like Apple correctly handles "no internet" by assuming the certificate is still valid, but didn't anticipate "there is internet but the OCSP server takes forever to respond".
No one remembers the singer.
(Score: 4, Touché) by stretch611 on Thursday November 19 2020, @01:55AM (3 children)
...computers own you, not the other way around.
Then again, I guess that is true in this case as well.
(happily using linux here, exclusively now for over 12 years.)
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 5, Funny) by unauthorized on Thursday November 19 2020, @03:59AM (2 children)
In Soviet Russia, man oppresses man. In Capitalist America it's the other way around.
(Score: 0, Insightful) by Anonymous Coward on Thursday November 19 2020, @11:33AM (1 child)
In Soviet Russia, men oppress women. In Capitalist America women oppress men.
Sounds about right.
(Score: 0) by Anonymous Coward on Friday November 20 2020, @04:25AM
Sounds like you have some Momma issues to work out. Don't worry, we'll still be here when you're ready to come back.
(Score: 2) by Arik on Thursday November 19 2020, @03:53AM (1 child)
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Reziac on Friday November 20 2020, @02:20AM
...in really small print: But our partners still log shit. You guess which shit.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 4, Insightful) by MostCynical on Thursday November 19 2020, @05:12AM
Apple says *this* certificate checking process doesn't log every app/time opened/closed/with/without keystrokes.. doesn't mean *other* processes don't..
Every single user of program F also uses program K? Marketing. sales, and additional charging opportunities...
No user of Program T ever uses program X? as above..
Product/app/program/sales opportunity/market dominance/fuck you, it's shiny...
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex