Last Thursday the 12th, Apple presented the final version of macOS Big Sur and almost a week later we began to check the first problems of this new version. Not only at the level of compatibility with some Macs, specifically with older models compatible with the new version of the operating system, if not there are also difficulties when opening certain applications while connected to the Internet. It seems that the problem resides with Apple's OCSP server.
To understand the problem a little better, it is necessary to know first-hand what Apple's OCSP server and Gatekeeper consist of.
All Macs come with a security system that verifies that the applications we run are safe. This check is based on a small certificate that is included in the app and that establishes that Apple has verified them when the developer has sent it to them and has verified that everything is correct. The system must verify that it is still valid and has not been revoked for security reasons. So with the execution of each application, the system asks the servers OCSP (Online Certificate Status Protocol) by the certificate status. If the Apple servers reply that it is still valid, the app starts without further ado.
Now, keep in mind that this connection to the servers is not encrypted. If an HTTPS connection were used, it would enter an endless loop. HTTPS should be checked using OCSP and HTTPS checking should be used to check OCSP and so on.
With macOS Big usr OCSP traffic is still unencrypted
Following the launch of macOS Big Sur on Thursday, Mac users began experiencing problems opening applications while connected to the Internet. Apple's system status page attributed the situation to problems with its developer ID notary service, and developer Jeff Johnson specified that there were connection problems with Apple's OCSP server. Jeffrey Paul added In addition, the OCSP traffic generated by macOS is not encrypted and it could be seen by ISPs (Internet Service Providers).
Apple has responded to the matter updating your support document "Open applications safely on your Mac" with new information:
macOS is designed to keep users and their data safe while respecting their privacy. Gatekeeper performs online checks to see if an application contains known malware and if the developer's signing certificate is revoked. We have never combined the data from these controls with information about Apple users or their devices. We do not use the data from these checks to find out which individual users are starting or running on their devices. Notarization verifies if the application contains known malware using an encrypted connection that is resistant to server failure.
These security checks They have never included the user's Apple ID or the identity of their device. To further protect privacy, we have stopped logging the IP addresses associated with Developer ID certificate checks and will ensure that all collected IP addresses are removed from the logs.
Apart from all the above, the Californian company plans to introduce several changes to the system over the next year:
- Un new encrypted protocol for developer ID certificate revocation checks
- Improvements in protections in case of server failures.
- A new preference for users orpten for not participating in these security protections. In this way, if any user prefers to expose themselves to the risk of unverified apps, they can deactivate, under their responsibility, the system completely.
The point is that Apple does want to respect user privacy, that's why it modifies its support document and makes known future plans to improve these issues. We will carefully follow this evolution, because I personally one of the characteristics that I praise the most