I'm not sure whether the background service pings ipv4 or ipv6 first, but it doesn't hurt to keep both lines. After all, there's still a way to access ocsp.apple.com without `::1 ocsp.apple.com` and you never know if Apple will change the networking logic of the background service in an update.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Regarding the news yesterday that apps on macOS needs to phone home
- Thread starter tzm41
- Start date
- Sort by reaction score
Awesome! How would we do this in iOS or iPadOS? Do we have to wait for a jailbreak?
I've just read a new contradicting article about why this OCSP process should not be blocked : https://blog.jacopo.io/en/post/apple-ocsp/
Not sure what to make of it to be honest at this point
Not sure what to make of it to be honest at this point
I have no idea, i just read a new article which i linked to above, I removed the OCSP block from my hosts file for the time being because it might cause issues with certain other services on MacOS based on what im reading with this new information.. Ugh
A good neutral facts-only blog from CryotoHack about OCSP and what Apple is doing, and how CRLite might be a solution. It presents the facts and also links to some other good resources:
blog.cryptohack.org
Can’t open apps on macOS: an OCSP disaster waiting to happen
Two days ago, macOS users experienced worrying hangs when opening applications not downloaded from the Mac App Store. Many users suspected hardware issues with their devices, but as they took to social media, they found it was a widespread problem. And it was no coincidence that it was happening...
I worked at NSA a very long time ago. I always remember walking by Senator Church’s reserved parking spot. He would have had us all in prison if we did half this kind of stuff. I also had White House NSC TS with various SAP clearances. Even in my 20 I thought Nixion and Kissinger were stupid to give away our industry to the Chinese hoping they would become more Democrati. This is getting scary. I Think my RAVPOWER travel hub is blocking this still. But time to move to Linus. I won’t be buying anymore Macs. I sold my software company 2 years ago. I still make money from my cryptography and key file management patents. I’m old and rich with ranches in 2 states and homes in Asia. I feel sorry for you young guys. Your freedom is almost gone. Be paranoid, they are out to get you.
You may want to read this:
https://apple.slashdot.org/story/20/11/13/1726224/your-computer-isnt-yours
And watch this video:
https://apple.slashdot.org/story/20/11/13/1726224/your-computer-isnt-yours
And watch this video:
Even if it is blocked in hosts file and safari cannot reach it, ping still works. How do we know it is really blocked ? Do you think apple will respect hosts file it they dont want to ? They can do whatever they want since they wrote the os.
Correction: ping is also blocked via hostfile.
Correction: ping is also blocked via hostfile.
Last edited:
I agree, can’t really tell if it’s truly blocked. The original guy (Jeffrey) from the 9to5 Mac that sparked this entire situation of privacy included this terminal command in his blog post and it was: echo 127.0.0.1 ocsp.apple.com | sudo tee -a /etc/hosts
I personally didn’t run that command as I’m not sure what it’ll do exactly and not sure how to reverse it in case something was to go wrong or if I wanted to revert which is why I manually added 0.0.0.0 ocsp.apple.com to my hosts file but I have no deleted it as I started in my previous post about an hour ago. I read that blocking this ocsp process in the hosts file can cause issues with MacOS
Safely open apps on your Mac - Apple Support
macOS includes a technology called Gatekeeper, that's designed to ensure that only trusted software runs on your Mac.
post about it too: https://www.macrumors.com/2020/11/15/apple-privacy-macos-app-authenticaion/
Great find!Safely open apps on your Mac - Apple Support
macOS includes a technology called Gatekeeper, that's designed to ensure that only trusted software runs on your Mac.support.apple.com
I am not blocking OCSP on my Mac, for the reasons that it protects it from malicious apps and I am not trying to harden it in the first place.
However, I am unhappy that OCSP sends info about the developper of the apps I use without even a simple HTTP encryption.
So I am looking forward to the updates from Apple.
When I add the two lines in the hosts file, I find that ping to ocsp.apple.com fails.
I begin to think the whole thing is getting a bit overblown. It is a security feature. Yes it should be encrypted, but I think the worst of it was the inability of any apps to launch properly when the back-end had problems, thus revealing this rather small can of worms.
Apple Addresses Privacy Concerns Surrounding App Authentication in macOS
Following the release of macOS Big Sur on Thursday, Mac users began to experience issues with opening apps while connected to the internet....
www.macrumors.com
Assuming you're actually going to do this, making is point to loopback is the wrong answer as that's a valid IP.
The bigger concern for me here is less that Apple is verifying developer signatures through OCSP - although they should be doing it more transparently and the requests should be encrypted - and more that Big Sur seems to have a list of 56 Apple processes that are excluded from the new network filter API.
In Apple's response to this issue they addressed concerns about the app verification but completely ignored the network filter issue.
Pretty obviously this is a major security issue... Apple has just given themselves license to bypass firewalls and VPNs for an arbitrary list of their own processes. Users are not alerted of this by the OS. Someone who sets up a VPN and a firewall on Big Sur is likely to have no idea that a large number of processes are hiding their traffic from the firewall and silently bypassing the VPN.
Why is a bigger deal not being made of this? I can understand the reasoning behind verification of app signatures. I cannot understand why Apple is giving 56 of its processes free reign to bypass firewalls and VPNs.
Not only is this terrible for privacy, but also for security - if an exploit is found in one of those 56 programs, a malicious actor can now piggyback off it to do whatever they like without security software knowing anything about it. Previously, malware has often uninstalled itself if it detects Little Snitch is installed. I suspect now malware authors will be looking for exploits in one of the many whitelisted programs Apple does not let third party firewalls see.
I hope this is either fixed by Apple or a solid workaround is found that does not require disabling system security features. Little Snitch devs say they're "currently investigating a solution in Little Snitch to make these whitelisted connections visible by means of alternative techniques" and I hope they succeed. This is ridiculous from Apple.
obdev.at
And Apple "cares about privacy."
Meanwhile I'll be using Little Snitch in Catalina and my Pi Hole logs to work out the domains those processes are phoning home to and if they aren't necessary for the system to function I will be blocking them with my Pi Hole. For now at least this will give me at least some level of control outside of Apple's locked down OS restrictions.
In Apple's response to this issue they addressed concerns about the app verification but completely ignored the network filter issue.
Pretty obviously this is a major security issue... Apple has just given themselves license to bypass firewalls and VPNs for an arbitrary list of their own processes. Users are not alerted of this by the OS. Someone who sets up a VPN and a firewall on Big Sur is likely to have no idea that a large number of processes are hiding their traffic from the firewall and silently bypassing the VPN.
Why is a bigger deal not being made of this? I can understand the reasoning behind verification of app signatures. I cannot understand why Apple is giving 56 of its processes free reign to bypass firewalls and VPNs.
Not only is this terrible for privacy, but also for security - if an exploit is found in one of those 56 programs, a malicious actor can now piggyback off it to do whatever they like without security software knowing anything about it. Previously, malware has often uninstalled itself if it detects Little Snitch is installed. I suspect now malware authors will be looking for exploits in one of the many whitelisted programs Apple does not let third party firewalls see.
I hope this is either fixed by Apple or a solid workaround is found that does not require disabling system security features. Little Snitch devs say they're "currently investigating a solution in Little Snitch to make these whitelisted connections visible by means of alternative techniques" and I hope they succeed. This is ridiculous from Apple.
Objective Development - Help Center
Get all the help you need for Little Snitch Mini, Little Snitch, LaunchBar and Micro Snitch.
And Apple "cares about privacy."
Meanwhile I'll be using Little Snitch in Catalina and my Pi Hole logs to work out the domains those processes are phoning home to and if they aren't necessary for the system to function I will be blocking them with my Pi Hole. For now at least this will give me at least some level of control outside of Apple's locked down OS restrictions.
In short, because OCSP is used to check certificate revocation status -- including the revocation of TLS certificates.
More details about this point in this excellent blog post from security researcher, Scott Helme:
Déjà vu - macOS hits OCSP hurdles
Regular readers will have seen me talk about OCSP many times before and some of those times are going back quite a number of years. That's why it came as quite a surprise to me to see OCSP thrust into the limelight again in recent days because of an issue
Excerpt from Scott's article about lack of encryption on standard OCSP and certificate revocation in general:
The information could still be encrypted on the machine before it's sent via plaintext HTTP however. Or Apple could simply use a protocol other than OCSP so TLS could be used without issue. While yes the authenticity can be verified with signatures, the issue people have is more that the data is being sent in plaintext in such a way that anyone intercepting your traffic can read it.
It's also entirely possible to verify the integrity of an application without sending data over the internet whenever you launch it.
I think this article is now more relevant than ever given Apple seems to finally be merging macOS and iOS including in terms of how much control they exert over them:
gist.github.com
It's also entirely possible to verify the integrity of an application without sending data over the internet whenever you launch it.
I think this article is now more relevant than ever given Apple seems to finally be merging macOS and iOS including in terms of how much control they exert over them:
iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment
iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment - iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Env...
gist.github.com
As I posted in this thread two days ago, someone already found out they can put an arbitrary app into the whitelist... poor security design, this is.The bigger concern for me here is less that Apple is verifying developer signatures through OCSP - although they should be doing it more transparently and the requests should be encrypted - and more that Big Sur seems to have a list of 56 Apple processes that are excluded from the new network filter API.
In Apple's response to this issue they addressed concerns about the app verification but completely ignored the network filter issue.
Pretty obviously this is a major security issue... Apple has just given themselves license to bypass firewalls and VPNs for an arbitrary list of their own processes. Users are not alerted of this by the OS. Someone who sets up a VPN and a firewall on Big Sur is likely to have no idea that a large number of processes are hiding their traffic from the firewall and silently bypassing the VPN.
Why is a bigger deal not being made of this? I can understand the reasoning behind verification of app signatures. I cannot understand why Apple is giving 56 of its processes free reign to bypass firewalls and VPNs.
Not only is this terrible for privacy, but also for security - if an exploit is found in one of those 56 programs, a malicious actor can now piggyback off it to do whatever they like without security software knowing anything about it. Previously, malware has often uninstalled itself if it detects Little Snitch is installed. I suspect now malware authors will be looking for exploits in one of the many whitelisted programs Apple does not let third party firewalls see.
I hope this is either fixed by Apple or a solid workaround is found that does not require disabling system security features. Little Snitch devs say they're "currently investigating a solution in Little Snitch to make these whitelisted connections visible by means of alternative techniques" and I hope they succeed. This is ridiculous from Apple.
Objective Development - Help Center
Get all the help you need for Little Snitch Mini, Little Snitch, LaunchBar and Micro Snitch.
And Apple "cares about privacy."
Meanwhile I'll be using Little Snitch in Catalina and my Pi Hole logs to work out the domains those processes are phoning home to and if they aren't necessary for the system to function I will be blocking them with my Pi Hole. For now at least this will give me at least some level of control outside of Apple's locked down OS restrictions.
Edit: here
I'd love to see a proper writeup of this on Objective-See, they're very good at going into deep detail about exactly this type of thing.
From those screenshots it looks like they have easily been able to piggyback off a system process to send their own traffic exactly as I speculated.
At this point Apple seriously needs to u-turn this crappy design because it's a fundamental security flaw. Especially regarding their enterprise customers who have to take security seriously. I can't imagine too many sysadmins being happy to roll out an OS that makes it trivial to bypass any firewall they install on the endpoints and sneaks traffic outside of their VPN.
Malware authors will have a field day if Apple actually sticks to this awful idea.
I'm honestly considering cancelling my M1 MBA order unless Apple makes a serious statement about fixing this or Objective Development figures out a way around Apple's restrictions. The Apple Silicon hardware looks like it has serious power but I'm not happy running an OS with poor security by design. Rather just run Linux where I have full control over everything on my system and an extremely flexible firewall that lets me block whatever I want.
P.S. I remember reading on the Little Snitch site that version 4.6, using the kernel extension, would technically still work on Big Sur but you'd need to manually approve it or something. It was pretty vague on details but this was based on info Apple gave to developers before release. Does anyone happen to know if this is true? Or does it just refer to the method where you have to disable SIP? If so, is there not a command that just lets you disable specific parts of SIP? I remember there being a command in Catalina that allowed you to disable only the protection against unsigned kexts. Maybe there's something similar in Big Sur to disable whatever prevents kexts from running altogether. I'll have to do some digging.
Edit:
macOS Big Sur Has Landed | 10 Essential Security Tips You Should Know
The latest iteration of Apple's macOS operating system, Big Sur, brings some big changes. Are you ready for its impact on enterprise security?
So it looks like, in theory at least, I can run Little Snitch 4.6 just fine on Big Sur. I just need to approve the kext.
I don't think LS 4.6 is a universal app but hopefully Rosetta 2 is fast enough that it won't make any noticeable difference. Would rather have a slight speed decrease than for my firewall to be useless and insecure.
VPN will be a little more tricky... don't have the ability to run a VPN connection from my router and VPN clients don't use kexts. But with old school LS working I can just block most processes that try to escape the VPN anyway.
Edit 2:
Confirmed LS 4.6 works on Big Sur, just need to boot into recovery and run a single terminal command before installation:
Objective Development - Help Center
Get all the help you need for Little Snitch Mini, Little Snitch, LaunchBar and Micro Snitch.
I will 100% be doing this and sticking to the "old technology" until Apple fixes this security nightmare in the new API.
Last edited:
i have successfuly implemeneted this advise
and right now Little Snitch see everything and i can block it as usual. As for VPN it still is a problem
and right now Little Snitch see everything and i can block it as usual. As for VPN it still is a problem
All they're doing is checking your app to make sure it's safe to open. It's really not a privacy issue at all unless you're super paranoid. The real problem is that the process can fail, leaving you unable to operate your computer while it's online.