The bypassing has nothing to do with wanting to hide it from users Even if they did care about hiding it, they know how trivial it would be to discover it, as we already saw only hours after the release.
And those lookups have nothing to do with DNS, so this wouldn’t help nor hurt anything related to that.
The bypassing has to do with exerting their control despite user wishes. Hiding “complexity” from users is one method that is at the core of Apple’s brand.
Yes, very smart people uncover this kind of thing regularly, but the trend feels like Apple is just trying to refine the process until they have a “perfectly secure” device by virtue of the fact that not even legitimate owners are able to enforce their wishes when those wishes are counter to Apple’s mandates.
You’re making assumptions about their motivations, and they’re not correct. They are not doing it despite user wishes. They did it under the reasonable assumption that the user has no such wish. It likely didn’t cross their mind.
Apple is surely aware of Little Snitch and other firewalls, and that the markets for that are dependant on a percentage of users who want absolute insight and control in to their network traffic. Similarly, there are journalists and sources who must by nature be very cautious about all network traffic. It would be hard to argue I think that Apple is unaware of both of these groups of users, and if they are aware; it must follow that it crossed their mind.
Whether that crossing their mind means they discarded it or intentionally chose to go against it may be a question that only gets answered in hindsight since Apple says very little publicly.
Because it's none of Comcast's business what software I run?
There's no way for your ISP to know what software you're running.
Gatekeeper checks if your app is malware (or not) and if its been signed with a valid Apple developer certificate. The OCSP look up goes over in the clear currently, but that's how OCSP works everywhere. Your DNS provider can see the OCSP lookup but that's about it.
For most of the software on my computer, the developer certificate is enough information to know what software I'm running.
All your ISP can see is certificate hashes, OCSP lookups and DNS queries. It can't know what certificate hash is connected to what developer application…
Presumably that's an unsalted hash so that it can be checked against the list of certificate revocations, so whether it's a hash or not doesn't do anything for privacy. It's the same hash of Slack's dev certificate that every other Slack customer is sending.
Anyone snooping the connection can figure that out and see that my computer said "Check the revocation status of Slack Inc.," and the same goes for literally every other software company's certificate hash.
I'm glad it's being fixed but it's still bad that it was done this way in the first place.
It's not hard to match up a certificate hash to the issuer, because most issuers will likely only have a couple of certificates to simplify internal PKI. It's something that can be solved with a rainbow table, there aren't even salts involved.
It's not hard to match up a certificate hash to the issuer, because most issuers will likely only have a couple of certificates to simplify internal PKI.
These are Apple certificates; they have nothing to do with a company's internal PKI.
It's something that can be solved with a rainbow table, there aren't even salts involved.
2. The OCSP check get cached; the certificate lookup doesn't happen every time you launch an app.
3. You can block the OCSP lookup if you're all bent out of shape about it or strip the developer's signature and sign it using a different certificate.
4. The new protocol for checking will be encrypted and there will be UI for opting out of these checks.
