That’s absolutely not true. Google “Windows 10 privacy” and you’ll find dozens of articles calling out MS for data collection.
Windows however, does not allow traffic to bypass your vpn for whenever Microsoft deems it is important enough.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Addresses Privacy Concerns Surrounding App Authentication in macOS
- Thread starter MacRumors
- Start date
- Sort by reaction score
Windows however, does not allow traffic to bypass your vpn for whenever Microsoft deems it is important enough.
I have on three different occasions. It’s a lot less than I was expecting.
The lack of zero-knowledge encryption of iCloud backups is not a new finding, though. Its effects on privacy should by now be known by those who have been interested in the privacy aspects of Apple's services in the past couple of years.
That doesn't make the situation any better of course, but it does explain why they are not commenting on it now - they're simply sticking to their existing commenting policy on the topic until their plans change.
At this point, Im starting to think people here are just shocked to hear apple has any data about them. Probably because they say “privacy” a lot. If they did this OSCP thing it must have been a mistake right, but it’s ok now because they’re gonna fix that one error where they were collecting an irrelevant datapoint. No need to worry about the absolutely enormous trove of data they are actively collecting and storing about us that’s tied to your Apple ID though. As long as they don’t request or read the report, it’s like it doesn’t exist.
I mean, I like Apple’s products a lot and I’ve used them for 20 years now, but I guess I never realized how much people will defend them. Especially defending them for something they that they didn’t know about or wouldn’t fully understand it if they did.
Case in point, Microsoft has data about you, they are evil. Apple does the same thing, either you’re wrong for pointing it out or it was justified and it’s ok because they care about “privacy”.
Don’t worry about that traffic leaking from your vpn, or the fact they track every song you listen to and the addresses of everyone your emailing and what time you did those things and where you did them from, and that’s just scratching the surface. It’s ok because they didn’t bother to read the report apple offers for free where they show you all of that data they have about you. Since they didn’t read it, they don’t know about it, so it just like it isn’t happening at all. Also, since apple didn’t address the vpn thing the same time they addressed OSCP it must not be a big deal. Because, you know, the “average customer” wouldn’t care.
The lack of encryption in iCloud backups isn’t new. Enabling iMessage backups automatically when you update your OS without telling you they did it, that’s new.
Apple is addressing the privacy issue...because it's been pointed out that they are hypocritical. The fact that others also collect data doesn't make Apple any less wrong in doing so. Apple's assurances are lip service; I don't trust them one bit. Unless they make a change to allow us to block them, I'll not update my OS or buy a silicon Mac. Little Snitch used to be able to block Apple but in Big Sur that has been disabled.
Well.....unless the VPN app ends up being the malware... if malware ended up hijacking your networking and you didn't know, you would want the OS to still have a way to identify the malware. I'm sure thats probably the reason they did it that way.....
That makes no sense. It would verify the vpn app when you launched it then you establish a connection with said verified app.
So why does all traffic from that point forward need to bypass the vpn connection that was created by the app that apple verified when you launched it?
Also, not all vpn connections use apps. You can establish a vpn connection using built in tools in macOS, but apple still bypasses it for this.
So I’m not worried about malware hijacking my connection and me not knowing about it because apple already verified the vpn software is not malware when I opened it. I am however, worried about my operating system ACTING like malware and hijacking my connection without telling me about it for whatever traffic Apple tells it to.
How can you trust people (or companies) that does not make statements or inform the public of this type of information "unless" someone finds it. It is almost like they say, "We won't tell UNTIL someone finds out". This is the policy of most companies: ONLY reveal when we are found out...
Not a direct comment on this particular issue but it’s an example of a wider situation, many companies can collect data on you without it being obvious or you knowing, OS manufacturers especially. Just because Apple can choose not to log an IP now doesn’t mean it won’t start again in the future either purposefully or accidentally / inadvertently, they don’t need you to enable anything on your machine to start collecting the IP again as it can be captured server side. Now whether you consider this a problem likely depends on who you are and what you do, a sensitive target like a government official or military person (especially those from non American countries) should probably be far more concerned than me, a random IT techie and for me an IP doesn’t matter too much it’s what else they capture using any method. That doesn’t mean I’m not concerned about privacy and I absolutely should be (looking at you UK government wanting to backdoor End to end encryption, google, Facebook etc) but the lengths I can go to will probably be lower.
Great 1st part of the answer!
Now we need to address that they offer a direct path to bypassing the VPN at the kernel level. This makes it even more easy for someone leveraging a CVE, as part of the kernel attack surface... though once you made it to kernel level, you are screwed anyways.
If you have an App that “needs” kernel level access, you can “legally” bypass the VPN. Great!
This just reinforces that VPNs should not be running on the attacked device, but on the router
Now we need to address that they offer a direct path to bypassing the VPN at the kernel level. This makes it even more easy for someone leveraging a CVE, as part of the kernel attack surface... though once you made it to kernel level, you are screwed anyways.
If you have an App that “needs” kernel level access, you can “legally” bypass the VPN. Great!
This just reinforces that VPNs should not be running on the attacked device, but on the router
OCSP responses are digitally signed. That's why it is "safe" to transport over a non-encrypted connection. The client device receives the response, validates that it is signed by a certificate authority, then uses it accordingly. If the response is forged or modified during transport (by, in your example, malware), the client's validation of the digital signature would fail and the client would not use that response.
Big Sur using new network extension API, thus whitelisted all aforementioned Apple process at OS level, yeah that's bummer because any attempt like modifying host or VPN are useless now.
I wonder if going put those entry on my router firewall blacklist would worked...
I’m both pleased that Apple is responding to this and laying out their plans, and annoyed that, once again, an alarmist over the top opinion piece “worked”.
Turning Gatekeeper off does not stop OCSP.A non-alarmist take on this.
Application Trust is Hard, but Apple does it Well — Security Embedded
On November 12, 2020 Apple released macOS Big Sur. In the hours after the release went live, somewhere in Apple's infrastructure an OCSP esponder cried out in pain…www.security-embedded.com
Seriously, if you don't like it turn Gatekeeper off, because you obviously understand all the risks involved in doing that.
I am glad they are replacing it with an encrypted protocol, it was a really bad idea to make it unencrypted.
It is good that they are removing the IP addresses that were collected and stopping the collection although I don't care much about it.
I don't care about bypassing firewall and VPN (how does that work?), but obviously others do.
The government?
Anyone who thinks there’s a single planetary government (at this point in history) is delusional.
It seems to me that Apple put themselves in the position where they have to respond. Are there any lies, deceptions, exaggerations or misinformation in what you refer to as the "alarmist over the top opinion piece"? If so, set me straight.
Apple: We deeply care about privacy.
Also Apple: Sorry for actually not caring about your privacy. We do better in a year.
Also Apple: Sorry for actually not caring about your privacy. We do better in a year.
That's not a response. A press release is a response and I bet you they won't release one so they would not have to go into full damage control mode.
Had we, including the security researchers and forums that brought these issues to light and reported on them, not stirred up the pot we would have had the current status quo 'quietly' imposed on us.
There is more tinfoil in this discussion than there is in a supermarket aisle 🤣. Some people don’t understand legal consequences for corporations to snoop on your documents held on your computer.
The personal and corporate documents on your computer are completely private from Apple or Microsoft. Just about every telemetry setting can be disabled on macOS and Windows.
If you want even more privacy from third parties who might access your computer then store them in encrypted disk images.
If you are using some of the cloud services out there then some metadata is used to serve ads or sold to third parties. You have to check the terms and conditions of each service.
The personal and corporate documents on your computer are completely private from Apple or Microsoft. Just about every telemetry setting can be disabled on macOS and Windows.
If you want even more privacy from third parties who might access your computer then store them in encrypted disk images.
If you are using some of the cloud services out there then some metadata is used to serve ads or sold to third parties. You have to check the terms and conditions of each service.
> using an encrypted connection that is resilient to server failures.
so... I thing happened this week then?
so... I thing happened this week then?
I wonder why they were collecting and storing IP addresses in the first place, if as it seems this process can function perfectly well without them?