Hacker News new | past | comments | ask | show | jobs | submit login

You can do unauthenticated TLS, which is no worse than plaintext HTTP, and foils passive listeners by providing privacy. You could also trust your existing trusted certs (prior to OCSP update) when doing the OCSP update, which, again, is no worse than plaintext HTTP.

Apple knows this. They have cryptography experts.

Taken in context with their backdooring of their e2e messenger and collaboration with military intelligence on FISA 702, I tend not to give them the benefit of the doubt any longer. Apple knows how to take pcaps.

There are only so many times the OS design gets to leak either keys or plaintext remotely before you need to stop assuming ignorance over malice.

I don’t know how many times that is, but it’s less than ten, probably less than 5, and because it’s a count of legitimate “assume ignorance”, then “goto fail”[2] also counts in the tally.

Between this OCSP plaintext telemetry leak, and iMessage default key escrow, scrapping their plan for e2e backups at the behest of the FBI that fixes the key escrow backdoor[3], and “goto fail” not authenticating TLS, we’re at 4.

I’m not even counting the recent story about Apple’s history of willing collaboration with intelligence agencies to make a custom classified firmware for the iPod to aid in espionage.[1]

As Goldfinger’s famous saying goes: “Once is happenstance. Twice is coincidence. The third time it’s enemy action.”

[1]: https://news.ycombinator.com/item?id=24212520

[2]: https://www.zdnet.com/article/apples-goto-fail-tells-us-noth...

[3]: https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...






“ I’m not even counting the recent story about Apple’s history of willing collaboration with intelligence agencies to make a custom classified firmware for the iPod to aid in espionage.”

What would this ‘count’ as?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: