Hacker News new | past | comments | ask | show | jobs | submit login
Apple Reneged on OCSP Privacy (lapcatsoftware.com)
65 points by aluxian on June 13, 2022 | hide | past | favorite | 7 comments



That's too bad. Fast certificate revocation seems to be hard though. I don't know of a great solution for it.

I really do hate how apps hang waiting to phone home to Apple though. It compromises the user experience. (Though I'm not sure how much of that time is actually waiting for slow network services and how much of it is waiting for slow local processing.)

Given that revocation is rare, I think I might be willing to forego online validation and just use something like a local list of revoked code signing certs that is updated at a configurable interval.


Is OCSP stapling somehow defective? Aside from being mostly unimplemented on the client side. It does limit revocation latency to two days or so, but that’s probably as short as it’s can realistically be without CAs seriously getting into high availability.


I don't think you understand the context here. These are not web certificates, they're code signing certificates. There's only one CA in this case, and that's Apple, who issues Developer ID certificates to registered Mac developers to sign their apps, which are then distributed to users and installed on their Macs. Whenever an installed app is launched, macOS checks whether the code signing certificate has been revoked by Apple. So OCSP stapling is effectively irrelevant here.


Thanks for the excellent response.

Yeah, even if a time-limited OCSP validation cert is stapled to the app download (which seems like it would be easy to do on the Mac App Store at least), that doesn't seem to meet Apple's apparent desire for fast revocation based on online validation. (Or perhaps for user and app "analytics", but let's assume they are motivated by security and care about privacy.)

As a user I think I might be fine with something like cert stapling for App Store apps, and a cert blacklist for everything else.

On a possibly unrelated note, it is astonishing how long it takes Xcode to validate/install/start up the first time. I thought it was simply hung but it finished in a few hours.


OCSP has a fundamental weakness that it can’t be allowed to fail open, because the same attacker that can MITM a certificate can simulate a network outage for the OCSP check.

Browsers have given up — reliability and performance won — and they fail open on OCSP check failures.


This is disappointing. How hard is it to implement a opt-out? Given the resources of apple...


For an Apple developer to implement? I assume it's pretty easy.

For an Apple developer to get approval from the higher-ups to implement it? I assume near impossible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: