As the one who originally publicized the fact that Apple was leaking users' app launch data like this, I was surprised that they even committed to fixing it.
I was doubly surprised when they failed to follow through; it is unlike Apple to lie.
Note also that the link to my site in the first part of TFA is to the wrong article; the OCSP issue is related to app launches ("Your Computer Isn't Yours"), not the fact that each Mx macOS update phones home a) in plaintext and b) with hardware unique identifiers (your ARM's ECID) on every single OS update (this is TSS, not OCSP). This allows passive listeners to sniff your unencrypted HTTP TSS traffic that contains your system's unique ECID, and, via client IP geolocation, infer your travel/location history unless you remember to always update over a VPN.
Different types of bad plaintext phone home APIs. Apple uses at least 2: OCSP and TSS. :)
Here is a thing. The endpoint gs.apple.com already supports HTTPS (and on port 433). In fact, a new cert was issued to that endpoint on 23rd Feb 2022 -- before the date of your article. Something was already afoot before you wrote about it. This new cert also contains a custom OID, which could be used for pinning.
It is possible, with an http proxy / pihole to upgrade all of your local network connections to https when speaking to gs.apple.com.
My guess is that a change is coming, but the pieces aren't all in place yet.
So I decided to look at the code that implements talking to gs.apple.com on my Mac. It already supports using TLS. If I am reading this correctly, there are ways it could be enabled right now. Out of respect to Apple; as they are clearly not yet ready to enable this for everyone, I am declining to say how.
No, the machine (if set to full security) needs a signed ticket from Apple specific to your hardware (ECID) to run. It's just like an iPhone/iPad in that regard. Disabling the internet means the update will fail.
Remember TinyUmbrella and backing up your SHSH blobs so that you could downgrade to previous OSes? It's that same API.
I love Apple hardware, it's top notch truly but I am eager to completely remove macOS over privacy concerns. If Apple is taking privacy seriously, and advertising that, it needs to be across the board. I don't appreciate being lied to.
Little Snitch is still one of the most powerful apps I run. I wish I could run it on my iPhone. When the OCSP thing went down I was livid. This still pisses me off.
Is the only way to mitigate this to jailbreak the device, edit the /etc/hosts to remap the DNS and point it at your own OCSP caching similar to what is done for airgaps and ICS/SCADA, or could you do this through 3rd party DNS apps, or an iOS VPN profile?
Since High Sierra (released 2017), their documentation points to the App Store installer links instead of to DMGs [1]. It’s still possible to create a DMG installer for newer versions using createinstallmedia on the command line after downloading the installer to a Mac.
It could just be that they are still working on implementing this in a future update, maybe a minor update to Ventura. I would imagine the software engineering team has its hands full every summer with more important things like readying major new versions of all of their platforms.
Except it wasn't just a private plan: Apple made a public written statement about the timeline, in response to a disaster (the Mac "appocalypse") and the resulting public criticism. So this should have been a very high priority.