By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Last Thursday afternoon, Mac users everywhere began complaining of a crippling slowdown when opening apps. The cause: online certificate checks Apple performs each time a user opens an app not downloaded from the App Store. The mass upgrade to Big Sur, it seems, caused the Apple servers responsible for these checks to slow to a crawl. Apple quickly fixed the slowdown, but concerns about paralyzed Macs were soon replaced by an even bigger worry—the vast amount of personal data Apple, and possibly others, can glean from Macs performing certificate checks each time a user opens an app that didn’t come from the App Store. For people who understood what was happening behind the scenes, there was little reason to view the certificate checks as a privacy grab. Just to be sure, though, Apple on Monday published a support article that should quell any lingering worries. More about that later—first, let’s back up and provide some background. Before Apple allows an app into the App Store, it must first pass a review that vets its security. Users can configure the macOS feature known as Gatekeeper to allow only these approved apps, or they can choose a setting that also allows the installation of third-party apps, as long as these apps are signed with a developer certificate issued by Apple. To make sure the certificate hasn’t been revoked, macOS uses OCSP—short for the industry-standard Online Certificate Status Protocol — to check its validity. Checking the validity of a certificate—any certificate—authenticating a website or piece of software sounds simple enough, but it has long presented problems industrywide that aren’t easy to solve. The initial means was the use of certificate revocation lists, but as the lists grew, their size prevented them from working effectively. CRL gave way to OCSP, which performed the check on remote servers. OCSP, it turned out, had its own drawbacks. Servers sometimes go down, and when they do, OCSP server outages have the potential to paralyze millions of people trying to do things like visit sites, install apps, and check email. To guard against this hazard, OCSP defaults to what’s called a “soft fail.” Rather than block the website or software that’s being checked, OCSP will act as if the certificate is valid in the event that the server doesn’t respond. Somehow, the mass number of people upgrading to Big Sur on Thursday seems to have caused the servers at ocsp.apple.com to become overloaded but not fall over completely. The server couldn’t provide the all-clear, but it also didn’t return an error that would trigger the soft fail. The result was huge numbers of Mac users left in limbo. Apple fixed the problem with the availability of ocsp.apple.com, presumably by adding more server capacity. Normally, that would have been the end of the issue, but it wasn’t. Soon, social media was awash in claims that the macOS app-vetting process was turning Apple into a Big Brother that was tracking the time and location whenever users open or reopen any app not downloaded from the App Store. The post Your Computer Isn’t Yours was one of the catalysts for the mass concern. It noted that the simple HTML get-requests performed by OCSP were unencrypted. That meant that not only was Apple able to build profiles based on our minute-by-minute Mac usage but so could ISPs or anyone else who could view traffic passing over the network. (To prevent falling into an infinite authentication loop, virtually all OCSP traffic is unencrypted, although responses are digitally signed.) Fortunately, fewer alarmist posts like this one provided a more helpful background. The hashes being transmitted weren’t unique to the app itself but rather the Apple-issued developer certificate. That still allowed people to infer when an app such as Tor, Signal, Firefox, or Thunderbird was being used, but it was still less granular than many people first assumed. In an attempt to further assure Mac users, Apple Monday published a post. It explains what the company does and doesn’t do with the information collected through Gatekeeper and a separate feature known as notarization, which checks the security even of non-App Store apps. The post went on to say that in the next year, Apple will provide a new protocol to check if developer certificates have been revoked, provide “strong protections against server failure,” and present a new OS setting for users who want to opt-out of all of this. The controversy over behavior that macOS has been doing since at least the Catalina version was introduced last October underscores the tradeoff that sometimes occurs between security and privacy. Gatekeeper is designed to make it easy for less experienced users to steer clear of apps that are known to be malicious. To make use of Gatekeeper, users have to spend a certain amount of information to Apple. Not that Apple is completely without fault. For one thing, developers haven’t provided an easy way to opt-out of OCSP checks. That has made blocking access to ocsp.apple.com the only way to do that, and for less experienced Mac users, that’s too hard.For more turn to OUR FORUM.