Gatekeeper Already Present in OS X 10.7.3, Available for Developer Testing

[dashiel]

Quote:

Originally Posted by petsounds

As I said, it's a concern. I'm not saying it's going to happen. But it's a steep cliff and a long way down should Apple decide to exert "editorial control" over the apps it has signed. You trust them to play fair, I don't. Jobs never gave me much reason to. Perhaps the Tim Cook-era Apple will instill some. I hope!

This is inductive reasoning run amuck. A leads to B, B leads to C, C leads to D, therefore A leads to Z, except Apple hasn’t even done A yet. I don’t think there’s a single instance of Apple abusing (or using for that matter) a signed certificate or “kill switch” to remove or stop the distribution of an iOS app.

Chalkboards aren’t a convincing argument.

Quote:

Originally Posted by petsounds

And why would Apple need that kind of authority? Having a list of flagged apps is enough to notify users of malicious code. Control of the cert signing would only be necessary to cause apps to no longer run -- something you argue Apple would never do.

The whole point of using a signed certificate is so Apple is certain the App they’re going to prevent from being installed is the App. The blacklist of flagged apps as you suggest is already in place that’s what Apple used to fend off MacDefender, the problem is MacDefender just kept changing the name so it slipped through the black list. Having a cryptographically signed app means Apple knows exactly what App it can block.

Additionally it adds levels of social security. Malicious software developers can easily acquire signed certificates, either self-signed or from less than reputable sources. Apple issuing the certificate adds a layer of complexity for criminals having to come up with a credit card, a fake address, fake name, masked IP, etc… all of course easily circumvented, at the same time still a hassle.

A signed cert from Apple has the weight of Apple’s reputation behind it, your mistrust aside, most people have a lot more faith in Apple than GoDaddy. As I mentioned earlier this program is basically allowing third party developers to ride along on Apple’s coattails in terms of consumer trust.

[charlituna]

Quote:

Originally Posted by waltermitty

This is ridiculous. An obvious money grabbing attempt by making users (by default) go through their App Store to get their software and system updates.

Hardly since you can get a certificate just by asking for one. And then you have no issues until it is found out that you are distributing malware and then your certificate will be invalidated and those that have blocked non signed and non MAS apps won't accidentally open it and cause any harm.

----------

Quote:

Originally Posted by Stella

You turn off Gate Keeper.

Or after it warns you that your software may not be safe you use the whole Option+click method to open it without the warning that Apple isn't keeping a secret.

----------

Quote:

Originally Posted by Nermal

Do you have a reference for that? I've seen a couple of people mention it but I'm having trouble with finding official documentation stating that a Developer ID is free.

A developer ID is not free. But as a registered developer a signing certification for your apps is.

----------

Quote:

Originally Posted by babyj

I believe the whole point is that Apple will be the only ones issuing certificates and if an app turns out to be bad they have a big kill switch button they can press.

Yes and no. They can kill the app from automatically opening as a 'signed app' but the user can always open it anyway.

[petsounds]

Quote:

Originally Posted by dashiel

This is inductive reasoning run amuck. A leads to B, B leads to C, C leads to D, therefore A leads to Z, except Apple hasn’t even done A yet. I don’t think there’s a single instance of Apple abusing (or using for that matter) a signed certificate or “kill switch” to remove or stop the distribution of an iOS app.

You're being a bit pedantic here. Mountain Lion != iOS. On iOS, aside from jailbreaking the only way to get an app on your device is through the App Store. On ML, you only need a signed app (under default settings) to install it. So there's no precedent for Apple using certs to block apps because if Apple wants to blackball an iOS app, they just remove it from their store. Yes, a few people can keep it backed up locally and Apple hasn't remotely removed them (if they even have that ability), but effectively the app is dead.

What we're discussing with a cert being revoked is no different. People can still install it, but the vast majority won't touch it if the cert is dead, and the app maker won't be able to release a new version.

Quote:

Additionally it adds levels of social security. Malicious software developers can easily acquire signed certificates, either self-signed or from less than reputable sources. Apple issuing the certificate adds a layer of complexity for criminals having to come up with a credit card, a fake address, fake name, masked IP, etc… all of course easily circumvented, at the same time still a hassle.

In regards to your MacDefender example, I was inferring that Apple key off the 3rd-party cert, not a binary hash of the app executable. If Apple did allow 3rd-party certs, it would obviously only be from trustworthy signing authorities like VeriSign. Yes, info can be faked just like with an Apple cert, but it gives developers more flexibility and control rather than be corralled into a pen by Apple. I see no reasonable benefit to Apple controlling the cert process.

[ArmCortexA8]

Hi all

I just tried this in Mac OSX on my 2011 MacBook Air. I did a Flash update with this feature enabled, and got the options of got to trash or cancel. There was no choice for me to continue. In effect I was forced to turn this feature off before I could update Flash.

[DigitalFreedom]

The fact is Apple is trying to force a locked system approach the way they have it in iOs - to rule everything - is sad. And I think they'll even get some court cases regarding that from third-party software distributors.

What I did like in 10.8 is that they FINALLY made it possible to disable that **** "Reopen windows when logging back in" check-box. It's getting disabled after you uncheck that option in General settings. Oh my, why didn't they do this simple thing in Lion, even in 10.3? Heh - just to get your money again.

Also 10.8 features some nice new multi-touch gestures for laptop and magic trackpad owners. And it runs faster than Lion.

The only thing that can drop Apple success is their greedy managers - their engineers are excellent.

[dashiel]

Quote:

Originally Posted by petsounds

You're being a bit pedantic here. Mountain Lion != iOS. On iOS, aside from jailbreaking the only way to get an app on your device is through the App Store. On ML, you only need a signed app (under default settings) to install it. So there's no precedent for Apple using certs to block apps because if Apple wants to blackball an iOS app, they just remove it from their store. Yes, a few people can keep it backed up locally and Apple hasn't remotely removed them (if they even have that ability), but effectively the app is dead.

It's not even remotely pedantic. You assert handing Apple power is concerning, yet on iOS where they have even greater power (I.e., the ability to remotely kill an app) they have not used either one. There is no precedent for this Orwellian future you fear.

Furthermore the App Store is not the only way to get Apps on the iPhone. AdHoc installation, TestFlight, Provisioned devices, enterprise installs.

Quote:

Originally Posted by petsounds

I see no reasonable benefit to Apple controlling the cert process.

I'll give you three

1) Apple couldn't revoke the certificate, only the authorizing agent can. Having the ability to revoke the certificate is critical to maintaining the security of the system.
2) Apple has more trust equity than VeriSign amongst average users
3) Perhaps you read the recent Dutch study showing 4 of every 1000 public keys provide no security whatsoever, including one major authorizing agent. By being the sole provider Apple maintains quality control

[stanton]

Quote:

Originally Posted by dashiel

It's not even remotely pedantic. You assert handing Apple power is concerning, yet on iOS where they have even greater power (I.e., the ability to remotely kill an app) they have not used either one. There is no precedent for this Orwellian future you fear.

Apple being the only CA is definitely an issue. Let's say I create a BluRay/DVD ripping application or a file sharing application. These programs have dubious legality here in the US do to both Copyright laws and DMCA provisions, however these laws aren't binding for developers in other countries. As has been shown, ICE can seize property such as domain names to protect copyrighted works. So what's to stop them from seizing developers certificates since Apple is a US corporation?

[Stella]

Quote:

Originally Posted by dashiel

Furthermore the App Store is not the only way to get Apps on the iPhone. AdHoc installation, TestFlight, Provisioned devices, enterprise installs.

For the regular person it is.. otherwise there would be no need for jail breaking. For developers, you need to give apple at lest $99 in order to install your own applications on your own device.

[firewood]

Quote:

Originally Posted by Stella

For the regular person it is.. otherwise there would be no need for jail breaking. For developers, you need to give apple at lest $99 in order to install your own applications on your own device.

I had to give Apple over $700 to install apps on a device. $499 base iPad price, $100 more for more storage, $99 more for the signing key. Plus taxes. Lets me install any type of app for which I can write or download suitable source code.

Cheaper prices available for those who don't need as much memory or a signing key.

Plus my developer signing key is usable on up to 99 other devices, so maybe it was only a $1 per device feature upgrade? A whole bunch cheaper than the $100 for additional storage.

[tblrsa]

I just activated Gatekeeper on Lion for some testing.

By pressing the Option Key before clicking on the App Icon you are indeed able to disable Gatekeeper Protection for this one app. The OS remembers your choice and will start this app without further checking in the future. I´ve used Adium for testing this. Not bad, I think.

In case the signature will be free for devs, I don´t see much of a problem here to be honest. Apple is handling this very open, we are all able to test it on our Lion Machines.

[petsounds]

Quote:

Originally Posted by dashiel

It's not even remotely pedantic. You assert handing Apple power is concerning, yet on iOS where they have even greater power (I.e., the ability to remotely kill an app) they have not used either one. There is no precedent for this Orwellian future you fear.

Please re-read what I wrote. I posited that killing an app's cert is equivalent, in terms of the majority of users, to removing an iOS app from the store. And they have removed apps for all sorts of reasons, so there is significant enough of an *equivalent* precedent here to be concerning. Again: for the majority of users, revoking an app's cert will have roughly the same consequences as removing an app from the store because most users won't ever change from the default option of "signed apps only".

Quote:

Furthermore the App Store is not the only way to get Apps on the iPhone. AdHoc installation, TestFlight, Provisioned devices, enterprise installs.

Come on, these are edge cases. This discussion has been based on the majority of users. Power users can always find ways around limitations.

Quote:

1) Apple couldn't revoke the certificate, only the authorizing agent can. Having the ability to revoke the certificate is critical to maintaining the security of the system.

Apple doesn't need to revoke the cert; they just need to flag it in their database. I don't know how Gatekeeper manages certs, but I assume it keeps a local database of valid certs, and then phones home to Apple every so often to make sure none of them have become invalid. So, in my 3rd party example, they'd only need to flag a cert in their database and it would be just as blackballed as if they had revoked their own cert.

[dashiel]

Quote:

Originally Posted by petsounds

Please re-read what I wrote. I posited that killing an app's cert is equivalent, in terms of the majority of users, to removing an iOS app from the store. And they have removed apps for all sorts of reasons, so there is significant enough of an *equivalent* precedent here to be concerning.

I understand what you’re saying; you are claiming absent the editorial approval on the iOS/Mac App Store, Apple will use a security feature for de-facto editorial control/censorship. But that conclusion requires a leap in logic, i.e. the slippery slope fallacy, as there is no precedent on the iOS App Store for Apple utilizing a security feature to exert editorial control. In fact the opposite is true, consider Apps that have been pulled from the App store for copyright or TOS violations. Apple has the legal right and technical capability to remove those Apps from a users device, but they haven’t.

Beyond the leap in logic though there are far more practical issues. Signed certificates operate on trust, at their most basic level developers trust Apple, users trust Apple, therefore a user can trust any developer Apple trusts. If Apple breaks that trust with the developer community then the whole concept of GateKeeper is ruined. Developers will simply drop the certificate program or the Mac platform altogether. Those developers who choose to stay will have step-by-step instructions on their web site detailing how customers can change their security settings, just like today when an App requires a little more than a simple DMG. The very existence of the MacDefender tojan is evidence users are willing to circumvent security for something they think they want.

Quote:

Apple doesn't need to revoke the cert; they just need to flag it in their database. I don't know how Gatekeeper manages certs, but I assume it keeps a local database of valid certs, and then phones home to Apple every so often to make sure none of them have become invalid. So, in my 3rd party example, they'd only need to flag a cert in their database and it would be just as blackballed as if they had revoked their own cert.

Yes they do, certificate revocation is an essential feature of signed certificates, without it you might as well just have developers submit checksum data and some sort of UNID. Without revocation certificates are susceptible to man-in-the-middle attacks. Without revocation privileges, the trusted third party (Apple) has no power and by definition cannot be trusted.

Beyond eliminating a fundamental requirement of signed certificates, introducing a fourth party adds an additional and unnecessary layer of insecurity. As I detailed above developers trust Apple, users trust Apple so users trust the developers Apple trust. In your scenario that agreement changes, Apple would in essence be saying “Trust me, I trust this CA and they trust the developer.” That’s skeptical just based on degrees of separation. Even more troubling though is it hands a critical amount of power to a fourth party. How can Apple know the CA is going to be in business next year or their servers online to verify certifications? How do they know there aren’t nefarious individuals working there, or their security has been compromised? And before you say those are flights of fancy, look at Comodo, just last year they were seriously compromised and false certificates were issued for google.com and mozilla.com

Take a look at the conclusion a Tor contributor drew from the Comodo attack:

Quote:

The browsers chose a user privacy invasive stance without the user protecting security properties. They did this because they claim that CAs are unable to provide working OCSP/CRL systems for request handling. This is a fair claim if true but it must not stand any longer. If the CA cannot provide even a basic level of revocation, it's clearly irresponsible to ship that CA root in a browser. Browsers should give insecure CA keys an Internet Death Sentence rather than expose the users of the browsers to known problems.

(emphasis mine)
https://blog.torproject.org/blog/det...wser-collusion

Bottom line when dealing with security the fewer people you have to trust the more secure you are.

[ArmCortexA8]

Quote:

Originally Posted by tblrsa

I just activated Gatekeeper on Lion for some testing.

By pressing the Option Key before clicking on the App Icon you are indeed able to disable Gatekeeper Protection for this one app. The OS remembers your choice and will start this app without further checking in the future. I´ve used Adium for testing this. Not bad, I think.

In case the signature will be free for devs, I don´t see much of a problem here to be honest. Apple is handling this very open, we are all able to test it on our Lion Machines.

Thanks or that tip so Option then Open the app to prevent future notifications. Would have made more sense to have a "don't apply to this app" or equivalent for future, but this would have made it too easy to disable if implemented down the track.

[milo]

Quote:

Originally Posted by petsounds

Please re-read what I wrote. I posited that killing an app's cert is equivalent, in terms of the majority of users, to removing an iOS app from the store.

But it's not.

[petsounds]

Quote:

Originally Posted by dashiel

Beyond the leap in logic though there are far more practical issues. Signed certificates operate on trust, at their most basic level developers trust Apple, users trust Apple, therefore a user can trust any developer Apple trusts. If Apple breaks that trust with the developer community then the whole concept of GateKeeper is ruined.

Did Apple pulling apps on "moral" grounds break trust with the dev community? Probably. Did developers flee to the Android store? No, because Apple is where the money is. And so it shall be. Let's be real -- if Apple decided to revoke an app's cert, there would be a lot of angry blog posts and angry forum postings, and then everyone will continue on like normal.

I trusted Apple when I got my Mac Plus in 1986 and I trusted Apple when I switched back to OS X, but they've pulled enough stunts the past few years that I don't trust them so much anymore. You call it a leap of logic, but it's more of an emotional response.

I guess time will tell if Apple is just trying to improve security, or if they are trying to turn the walled garden into a prison cell.

By the way, interesting article you linked, thanks.

[dashiel]

Quote:

Originally Posted by petsounds

I trusted Apple when I got my Mac Plus in 1986 and I trusted Apple when I switched back to OS X, but they've pulled enough stunts the past few years that I don't trust them so much anymore. You call it a leap of logic, but it's more of an emotional response.

That sums it up right there. Emotional responses are beliefs and beliefs, sadly, have greater power than facts.
http://motherjones.com/politics/2011...e-chris-mooney

[Harriet03]

[IMG]http://www.***************/avatar1.jpg[/IMG]MacRumors sure bears its name today!

[petsounds]

Quote:

Originally Posted by dashiel

That sums it up right there. Emotional responses are beliefs and beliefs, sadly, have greater power than facts.
http://motherjones.com/politics/2011...e-chris-mooney

Emotional responses are not beliefs. It's a gut reaction, in this case a reaction based on prior behavioral patterns. Apple has a recent history of making decisions that do not benefit customers who want choice. You're looking at it from a very x + y = z point-of-view, but I see a wider corporate strategy at work which Jobs was responsible for. I sincerely hope this changes back to the "old" Apple under the helm of Cook. I hope that you're right and these three choices will stay there in future versions of OS X. But it will take some time before I *trust* that Apple will again be on the side of the customer.

If you don't agree with my assessment, that's fine, but don't insinuate I'm just being blindly emotional about it.

[dashiel]

Quote:

Originally Posted by petsounds

Emotional responses are not beliefs. It's a gut reaction, in this case a reaction based on prior behavioral patterns. Apple has a recent history of making decisions that do not benefit customers who want choice.

You are correct, I was being inarticulate. Beliefs aren’t by definition emotional responses. A gut reaction is an emotional response; a belief based on a gut reaction is therefore emotional.

Quote:

Originally Posted by petsounds

You're looking at it from a very x + y = z point-of-view,

Yes – logically – whereby an argument’s validity is determined by its logical form. Hence the assertion you are making a leap in logic.

Quote:

Originally Posted by petsounds

If you don't agree with my assessment, that's fine, but don't insinuate I'm just being blindly emotional about it.

I’m not insinuating, I’m stating a belief based on a gut reaction is an emotional one. Your gut reaction to the editorial policy of the iOS/Mac App Store is biasing your judgement on a security feature. You are jumping to the conclusion because Apple pulls Apps from their store for content, they will pull certificates for the same reason. If you can provide an example of Apple using a security feature to exert editorial control I will gladly re-evaluate my position.

[petsounds]

Quote:

Originally Posted by dashiel

If you can provide an example of Apple using a security feature to exert editorial control I will gladly re-evaluate my position.

Dude, I don't care whether you re-evaluate your position or not. I was giving my opinion, you gave yours. This isn't an argument or debate. I don't really have anything more to say on the subject. Peace.