[ad_1]
In Word
- Apple users reported slow and unresponsive computers on November 12, the same day the new Mac operating system was released.
- Apple’s servers were apparently flooded with requests for individual computers.
- The server failure highlighted a privacy loophole, whereby unencrypted data could be seen by third parties.
That sound he heard Thursday noon was the collective groan of a million Mac users restarting their super slow computers as Apple struggled with an apparent server outage.
The slowdown coincided (coincidentally or not) with the launch of Apple’s new operating system, Big Sur, but Mac users who had not yet installed the latest California-themed operating system also had trouble getting their apps to function properly.
Ironically, while Apple leans on pro-privacy rhetoric and Big Sur claims to bring privacy enhancements, the issue highlighted a bigger issue over unencrypted data.
According to Mac developer Jeff Johnson, Macs could not connect to a server related to the Online Certificate Status Protocol (OCSP), which is used to ensure that a digital certificate is valid. Apple’s servers were unable to keep up with requests from the server.
in a summary On the issue, security researcher Jeffrey Paul said yesterday’s flaw exposed a privacy issue that was already there:
“It turns out that in the current version of macOS, the operating system sends Apple a hash (unique identifier) of each and every program it runs when it runs. A lot of people didn’t realize this, because it’s silent and invisible and it crashes instantly and gracefully when offline, but today the server got very slow and didn’t hit the fast fault code path, and everyone’s applications crashed for open if they were connected to the Internet “.
So when you are online, Apple knows what apps you are using. Additionally, it sends unencrypted OSCP requests, which can be viewed by Internet Service Providers. (Decipher reached out to Apple for comment, but has yet to receive a response.)
Matthew Hardeman, software developer and network engineer, said Decipher, “All Macs running recent versions of macOS send OCSP queries to Apple, at least in the default settings.”
Through its Gatekeeper system, “macOS is prospectively checking, when you try to start an application, to see if Apple has questioned its assessment of the security of the software you are trying to start.”
This brings with it several privacy issues. First, because your computer has to send your IP to communicate with Apple, it means that Apple can see your IP address and the application you are trying to use. Second, OCSP uses unencrypted HTTP communications, so “any entity with visibility of your macOS-based computer could also observe and / or record these events.”
Although he said that in most circumstances it is not a major concern, Hardeman said Decipher, “I think that everyone probably does not like that third parties can observe that you are launching an application and that they can discern which application.”
Judging from the reaction to Paul’s article on Crypto Twitter, it was indeed a concern:
Hardeman hinted that Apple is more or less using an industry standard protocol, as it is intended to be used, and that most people benefit from it. However, he asked Apple to correct the errors that “caused all the screaming yesterday.”
Also, if Apple is as dedicated to privacy as it claims, the standard may not be good enough anymore.
[ad_2]
