Is Apple keeping its promises over online OCSP certificate checks?

Cast your mind back to Thursday 12 November last year (2020, in case time still seems out of joint). Let me remind you of what occurred on that day to millions of Macs around the world.

It happened to be the day that Big Sur was released to the public, unusually not in its first version 11.0, but as 11.0.1. That coincided with two prominent Apple server failures: those intended to deliver Big Sur inauspiciously hit a problem, delaying its release for many, and went down for several hours.

At the time, few knew of the significance of, and the great majority of us were blissfully ignorant of OCSP too. But that second and greater misfortune which struck Apple and even more millions of Mac users that day stopped apps dead in their tracks, their users unable to launch the software on which they rely.

It wasn’t until the following day that a full explanation was provided, not by Apple, but by Jeff Johnson, one of the most knowledgeable and experienced Mac developers on the planet. His account led a general call for urgent action.

Apple responded swiftly, announcing on Monday 16 November – immediately following the weekend in which there had been intense public discussion – that it would address the issues raised. Not only that, but its undertakings were published explicitly here, stating: “to further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.” It additionally promised that would make the following changes over the coming year (from 16 November 2020):

  • “a new encrypted protocol for Developer ID certificate revocation checks”;
  • “strong protections against server failure”;
  • “a new preference for users to opt out of these security protections”.

With less than three months to go to the end of that year, I can’t discover any further announcements from Apple that anything has changed, and by the end of November last year the trail runs cold. Apple revised that support article on 30 March 2021, but doesn’t appear to have altered anything of substance concerning its OCSP checks.

Of Apple’s four promises, removal of IP addresses from the OCSP servers should have happened immediately, and there appear to have been no further server outages, making it plausible that the service is now more robust.

Apple has made no announcement regarding the more difficult problem of introducing an encrypted protocol to protect revocation checks. This is more difficult than it might sound because the obvious answer of using TLS would introduce a circular dependency on being able to check the TLS certificate, which is the reason for many OCSP checks being performed over HTTP rather than HTTPS. I’m not aware that Apple has solved this conundrum and introduced the encryption that it promised last November.

It’s the fourth promise which should be most obvious. I can see no change in Big Sur which provides a means for users to opt out of OCSP revocation checks. Perhaps Apple intended to introduce this in Monterey, but there’s no mention in the full list of its features, nor can I see any reference to it in release or other notes, nor comments by those currently testing betas. As far as I can tell, the Security & Privacy pane, where such a control would be expected to appear, makes no mention.

I think it’s time for Apple to provide an update on its progress in implementing the changes which it so publicly announced on 16 November 2020.

In the meantime, if you do want to ensure that your Mac doesn’t perform OCSP checks, I’ve compiled my recommendations here.