hoakley November 8, 2021 Macs, Technology

Will Apple honour its promises on OCSP certificate checks?

In the normal run of macOS updates, we wouldn’t expect Monterey 12.1 for a month yet. Although its current beta-release apparently brings SharePlay, slightly delayed from the initial release, there’s no mention of a key feature which Apple promised us almost a year ago: the option to disable signing certificate checks with Apple’s OCSP servers. While this may not be at the top of everyone’s priorities, for many Mac users around the world it’s essential protection from prying state security services, and not a promise that Apple can renege on.

These security certificate checks were introduced secretly by Apple some years ago. We can’t be certain when this started, but they were probably introduced to Gatekeeper’s first run checks in 2017, and extended to apps which had already cleared quarantine by the middle of 2019. Since then, whenever a user opens an app which is signed, macOS is likely to perform an online check with Apple’s OCSP service to determine whether that signature has been revoked by Apple.

This all came out into the open a year ago, when Apple was busy trying to release Big Sur on Thursday 12 November 2020, and suffered some service failures. Among them was its OCSP service which stopped responding correctly to the millions of revocation checks which Macs from all over the world were sending. The effect was devastating: for a few hours, every Mac user who tried to open an app saw its icon bounce in the Dock, where they remained bouncing indefinitely. Apps stopped opening, and users were unable to work or do anything useful with their Macs.

It took the careful work of Jeff Johnson to reveal the following day what had happened. True to form, Apple had clearly known of the outage but said nothing, and even now, a year later, Apple doesn’t provide information about the status of its crucial OCSP service alongside that of all it many other services.

Following extensive coverage in the press, Apple finally broke its silence four days after the outage. It made four undertakings which it published explicitly here, stating: “to further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.” It additionally promised that would make the following changes over the coming year from 16 November 2020:

“a new encrypted protocol for Developer ID certificate revocation checks”;
“strong protections against server failure”;
“a new preference for users to opt out of these security protections”.

Since then, apart from revising that support article, Apple has remained silent about those promises.

Of the four, removal of IP addresses from Apple’s OCSP servers should have happened immediately, and there appear to have been no further server outages, making it plausible that it has made the service more robust.

Apple has made no announcement regarding the more difficult problem of introducing an encrypted protocol to protect revocation checks. This is trickier than it might sound because the obvious answer of using TLS could introduce a circular dependency on being able to check the TLS certificate, which is one reason for many OCSP checks being performed over HTTP rather than HTTPS. I’m not aware that Apple has solved this conundrum and introduced the encryption that it promised us a year ago.

It’s the fourth promise which should be most obvious. I can see no change in Monterey 12.0.1 which provides a means for users to opt out of OCSP revocation checks. Perhaps Apple intends to introduce this in 12.1, but there’s no mention of it in the release notes. It’s also an important issue for those still using Big Sur. Given that Apple’s promise isn’t confined to any future release of macOS, the new user preference should surely also be implemented retrospectively in Big Sur as well, perhaps in its forthcoming 11.6.2 update.

Given the tens of thousands of engineers employed by Apple, and the apparent simplicity of this task, has Apple forgotten the promises it spells out so clearly in that support article, or has it no intention of doing what it still says it will? Perhaps you’d like to ask Apple whether it’s ever going to honour those promises.

For those still waiting for a proper solution to this problem, I’ve compiled some suggestions here.

13Comments

Add yours

1

Thomas Holm on November 8, 2021 at 8:23 am

Howard,
I greatly appreciate your continuing work, but I’m hoping for a comment on the latest MacOS updates bricking a number of T2 macs, apparently due to a Bridge OS bug. I’ve got a 202016″ MBP that was not bricked (yet), but it behaves somewhat strange when I log in after I updated to 11.6.1, so I’m worried. According to your latest SilentKnight (1.17) it has the faulty Bridge OS (that ends in xx48), but your app reports it as current despite MrMacintosh telling us the latest BOS is xx49. What gives? Is there any way to update the BOS beside “reviving” the system?

LikeLiked by 1 person
- 2
  
  hoakley on November 8, 2021 at 8:42 am
  
  Thank you. This isn’t actually relevant to this article, but since you asked…
  Apple hasn’t yet clarified the situation, as far as I’m aware, however your MBP doesn’t need any further update, and SilentKnight gives the correct minimum iBridge firmware version at present.
  The original T2 firmware update worked fine for a great many users, and doesn’t need to be changed for them. However, a small number of T2 Macs failed to update their T2 firmware correctly, resulting in them being bricked. Apple then worked out what was causing the problem with those failed updates, and issued a patched firmware update so that the macOS updates no longer brick any T2 Macs.
  So if your T2 Mac has already been updated successfully, there’s nothing more that you can or should do. You wouldn’t have to revive the firmware either – installing the current Big Sur full installer should (if Apple has updated its version to 11.6.1) apply that single-point iBridge update. But that’s a waste of time, as your Mac wasn’t bricked.
  It would have been very helpful had Apple explained this to users, but as usual I’m happy to do unpaid work on its behalf, as is Mr Macintosh.
  You don’t explain in what “somewhat strange” way your MBP now behaves, but it isn’t attributable to this issue with iBridge firmware.
  Now, SilentKnight uses a single iBridge version as being the correct one.
  I have two choices: if I change that to the very latest, then everyone who had updated successfully using the original update – including my two T2 Macs – will be told their firmware is out of date, but they can’t correct that using an updater. If I leave it as it is, showing the original iBridge version, SilentKnight allows the firmware version to be more recent than that without flagging it as a problem, so that it copes with users who have installed betas.
  The only choice then is not to set the new iBridge version as the ‘correct’ one, isn’t it?
  Howard.
  
  LikeLike
  - 3
    
    Thomas Holm on November 8, 2021 at 12:06 pm
    
    I’m sorry the comment was off topic. Was too worried to not send it. My MBP was unresponsive after restart this morning, but then it rebooted by itself and now it’s working. Made me worry. I’ve had loads of trouble with this machine before, and Apple screwed this up, not your fault, and I’m as grateful as ever that you took the time to answer nevertheless.
    Thanks again!
    
    LikeLiked by 1 person
    - 4
      
      hoakley on November 8, 2021 at 12:40 pm
      
      No problems. The fact that it boots demonstrates it has functional iBridge firmware running. I’m not sure why it seems unresponsive at boot sometimes – but I wonder if it’s suffering a kernel panic during startup. Has it ever shown a panic log? Do you have any third-party kernel extensions installed?
      Howard.
      
      LikeLike
    - 5
      
      Thomas Holm on November 8, 2021 at 1:57 pm
      
      I’ve had numerous kernel panics during startup, but most of them after trying to wake the machine after letting it go to sleep after using my CAD software on an external screen. I always send the panic logs to Apple.
      You helped me some time go, but Apple support told me to reinstall the system, I did, to no avail. I usually turn it off, to avoid the inevitable panic-on-wake. I think I’ve tried everything I can on my own, but I haven’t yet had time to go to the Apple store, I will as soon as I can. I work too much, just like you do!
      This self-reboot after restart is unique, that was what made me worry, I was thinking it’ll brick itself next time I turn it off.
      
      LikeLiked by 1 person
6

CKing123 on November 8, 2021 at 10:19 pm

Howard, I think you will really like CRLite which would not only be privacy preserving, but will even allow offline checks. Mozilla is working on using this to eventually replace OSCP in Firefox for TLS (HTTPS) connections. More details are here from Scott Helme: https://scotthelme.co.uk/crlite-finally-a-fix-for-broken-revocation/

Scott’s article also links to Mozilla blog where it goes into even more details. Apple could use something like CRLite which would have many advantages (offline checks so no need to worry about privacy or availability of service) and small size of Bloom filters so it would not take a lot of storage either.

LikeLiked by 1 person
- 7
  
  hoakley on November 8, 2021 at 10:24 pm
  
  Thank you. Sadly, it’s not up to me. We’re all waiting on Apple, and I’m sure that its engineers are fully aware of CRLite. While providing encryption is clearly something of a challenge, adding a control to the Security & Privacy pane is surely an extremely simple task which doesn’t take a year to implement.
  Howard.
  
  LikeLike
  - 8
    
    CKing123 on November 8, 2021 at 10:28 pm
    
    Agreed. Taking more than a year over this is embarrassing when even a simple TLS connection would protect privacy (though it doesn’t exactly deal with single point of failure of Apple’s servers or no offline support)
    
    LikeLiked by 1 person
9

CKing123 on November 8, 2021 at 10:27 pm

This is trickier than it might sound because the obvious answer of using TLS could introduce a circular dependency on being able to check the TLS certificate, which is one reason for many OCSP checks being performed over HTTP rather than HTTPS.
This is probably a far simpler fix Apple could do (though it still has issues compared to CRLite). The key here is that the first OSCP connection for TLS would only give intention that you are trying to verify an app to anyone on the network. It would not give away information about the app. Once OSCP check for TLS succeeds, the actual information for verifying an app is sent over TLS and is protected from anyone spying over the network. Again, it depends on Apple to implement *something* to improve the checks. The current OSCP model of sending app information is troubling and shouldn’t have taken anywhere near as long to fix as a year (and this is assuming it will get fixed soon)

LikeLiked by 1 person
- 10
  
  hoakley on November 8, 2021 at 10:35 pm
  
  I’m sorry, I think you misunderstand Apple’s last undertaking to add a control to allow users to disable checks altogether. Currently the only way to do this is to block all outgoing connections to the OCSP server, which is clumsy and fiddly. That’s very simple for Apple to implement regardless of how revocation checks are performed.
  So why hasn’t Apple at least done that, even if it’s still trying to solve the encryption problem?
  Howard
  
  LikeLike
  - 11
    
    CKing123 on November 9, 2021 at 7:42 am
    
    Thanks! I missed that entirely. Yeah an opt-out should have been implemented long ago, and even the encryption problem should have been solved already.
    
    LikeLiked by 1 person
12

Michael Tsai - Blog - Apple Server Outage Makes Mac Apps Hang on Launch on November 12, 2021 at 4:51 pm

[…] Update (2021-11-12): Howard Oakley: […]

LikeLike
13

Tom on January 10, 2022 at 10:56 pm

It’s now 2022. The answer is “No.”

LikeLiked by 1 person

·Comments are closed.

Share this:

Like this:

Related