Will Apple honour its promises on OCSP certificate checks?

In the normal run of macOS updates, we wouldn’t expect Monterey 12.1 for a month yet. Although its current beta-release apparently brings SharePlay, slightly delayed from the initial release, there’s no mention of a key feature which Apple promised us almost a year ago: the option to disable signing certificate checks with Apple’s OCSP servers. While this may not be at the top of everyone’s priorities, for many Mac users around the world it’s essential protection from prying state security services, and not a promise that Apple can renege on.

These security certificate checks were introduced secretly by Apple some years ago. We can’t be certain when this started, but they were probably introduced to Gatekeeper’s first run checks in 2017, and extended to apps which had already cleared quarantine by the middle of 2019. Since then, whenever a user opens an app which is signed, macOS is likely to perform an online check with Apple’s OCSP service to determine whether that signature has been revoked by Apple.

This all came out into the open a year ago, when Apple was busy trying to release Big Sur on Thursday 12 November 2020, and suffered some service failures. Among them was its OCSP service which stopped responding correctly to the millions of revocation checks which Macs from all over the world were sending. The effect was devastating: for a few hours, every Mac user who tried to open an app saw its icon bounce in the Dock, where they remained bouncing indefinitely. Apps stopped opening, and users were unable to work or do anything useful with their Macs.

It took the careful work of Jeff Johnson to reveal the following day what had happened. True to form, Apple had clearly known of the outage but said nothing, and even now, a year later, Apple doesn’t provide information about the status of its crucial OCSP service alongside that of all it many other services.

Following extensive coverage in the press, Apple finally broke its silence four days after the outage. It made four undertakings which it published explicitly here, stating: “to further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.” It additionally promised that would make the following changes over the coming year from 16 November 2020:

  • “a new encrypted protocol for Developer ID certificate revocation checks”;
  • “strong protections against server failure”;
  • “a new preference for users to opt out of these security protections”.

Since then, apart from revising that support article, Apple has remained silent about those promises.

Of the four, removal of IP addresses from Apple’s OCSP servers should have happened immediately, and there appear to have been no further server outages, making it plausible that it has made the service more robust.

Apple has made no announcement regarding the more difficult problem of introducing an encrypted protocol to protect revocation checks. This is trickier than it might sound because the obvious answer of using TLS could introduce a circular dependency on being able to check the TLS certificate, which is one reason for many OCSP checks being performed over HTTP rather than HTTPS. I’m not aware that Apple has solved this conundrum and introduced the encryption that it promised us a year ago.

It’s the fourth promise which should be most obvious. I can see no change in Monterey 12.0.1 which provides a means for users to opt out of OCSP revocation checks. Perhaps Apple intends to introduce this in 12.1, but there’s no mention of it in the release notes. It’s also an important issue for those still using Big Sur. Given that Apple’s promise isn’t confined to any future release of macOS, the new user preference should surely also be implemented retrospectively in Big Sur as well, perhaps in its forthcoming 11.6.2 update.

Given the tens of thousands of engineers employed by Apple, and the apparent simplicity of this task, has Apple forgotten the promises it spells out so clearly in that support article, or has it no intention of doing what it still says it will? Perhaps you’d like to ask Apple whether it’s ever going to honour those promises.

For those still waiting for a proper solution to this problem, I’ve compiled some suggestions here.