#gatekeeper

Digital bridges cannot cross analog gates
▻https://redasadki.me/2023/06/12/digital-bridges-cannot-cross-analog-gates

I’ve been doing a lot of thinking recently about an interesting question, as I’ve observed myself and colleagues starting to travel again: “Why are we again funding high-cost, low-volume face-to-face #conferences that yield, at best, uncertain outcomes?” I am surprised to have to ask this question. I was hoping for a different outcome, in which the experience of the COVID-19 pandemic led to a lasting change in how we bridge physical and digital spaces for a better future. We were brutally forced to work differently due to the COVID-19 pandemic’s restrictions on freedom of movement. Nevertheless, we discovered that it is possible to connect, meet, collaborate, and learn without sinking budgets into air travel and accommodation. At least some of work-related travel was due to habit and (...)

#Global_health #Thinking_aloud #gatekeepers #global_health #inclusion #learning_culture #Teach_to_Reach #workshops

Does Apple really log every app you run ? A technical look

▻https://blog.jacopo.io/en/post/apple-ocsp

TL;DR
• No, macOS does not send Apple a hash of your apps each time you run them.
• You should be aware that macOS might transmit some opaque information about the developer certificate of the apps you run. This information is sent out in clear text on your network.
• You shouldn’t probably block ocsp.apple.com with Little Snitch or in your hosts file.

–—

it is common for OCSP to use HTTP - I’m talking about good old plaintext HTTP on port 80, none of that HTTPS rubbish. There is usually a good reason for this, that becomes especially clear when the OCSP service is used for web browsers: preventing loops. If you used HTTPS for checking a certificate with OCSP then you would need to also check the certificate for the HTTPS connection using OCSP. That would imply opening another HTTPS connection and so on.

Of course while OCSP does not mandate encryption, it does require that responses are signed by the server. This still doesn’t solve the initial concern that anyone with a traffic analyser on your network could eavesdrop every app you open and when you open it.

[...]

It is clear that the trust service on macOS doesn’t send out a hash of the apps you launch. Instead, it just sends information about some certificate - as we would certainly expect after understanding what OCSP is in the first place.

#ocsp #Gatekeeper

Apple Users Got Owned

▻https://puri.sm/posts/apple-users-got-owned

This means that Apple not only knows which applications you have installed, it knows each time you run them. While in the past this was an optional service, now it’s mandatory and starting with Big Sur, you can no longer use a tool like Little Snitch to block this service, or route it through Tor for some privacy. Apple (and anyone who can sniff this plaintext communication) can know when you launched Tor browser or other privacy tools, or how often you use competitors’ applications.

[...]

Apple’s notary services doesn’t send information about the app, but instead sends information about the developer certificate used to sign them (which makes more sense given how OSCP works). This means that they can know, for instance, that you ran an application from Mozilla, but they can’t necessarily tell whether you ran Firefox or Thunderbird. If a developer only signs a single application, of course, they could correlate the certificate with the app. The service also seems to cache an approval for a period of time so whether it sends Apple information each time you run an app depends on how frequently you launch it.

[...]

Yet like with so many Apple features, security is a marketing term when the real motivation is control. While code signing already gave Apple control over whether you could install or upgrade software, this feature grants Apple control over whether you can run applications. Apple already has used code signing on iOS to remove competitor’s applications from the App Store and also remotely disable apps in the name of security or privacy.
There’s no reason to think they won’t use the same power on macOS now that it can no longer be bypassed.

#ocsp #Gatekeeper #privacy

macOS Big Sur launch appears to cause temporary slowdown in even non-Big Sur Macs

▻https://arstechnica.com/gadgets/2020/11/macos-big-sur-launch-appears-to-cause-temporary-slowdown-in-even-non-bi

It didn’t take long for some Mac users to note that trustd—a macOS process responsible for checking with Apple’s servers to confirm that an app is notarised—was attempting to contact a host named ocsp.apple.com but failing repeatedly. This resulted in systemwide slowdowns as apps attempted to launch, among other things.

[...]

The “OCSP” part of the hostname refers to Online Certificate Status Protocol stapling, or just “certificate stapling.” Apple uses certificate stapling to help streamline the process of having millions of Apple devices checking the validity of millions and millions of certificates every day.

#ocsp #Gatekeeper #privacy #TLS

▻https://en.wikipedia.org/wiki/OCSP_stapling

The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates.[1] It allows the presenter of a certificate to bear the resource cost involved in providing Online Certificate Status Protocol (OCSP) responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA, with the aim of improving both security and performance.

Signalée par @cryptome, cette discussion entre journalistes travaillant sur les révélations Snowden :
▻https://twitter.com/smaurizi/status/449656454182895617

The Gatekeeper | Cryptocomb
▻http://cryptocomb.org/?p=119

Below are just a very small sample of the NSA documents that several media outlets have obtained from Glenn Greenwald, herein after referred to as the “The Gatekeeper”.
The #Gatekeeper decides what gets distributed and to what organization. Obviously, the most riveting documents are stashed in his back pocket for his upcoming book.

http://cryptocomb.org/wp-content/uploads/2013/11/Save-us-from-the-secrets.jpg

#NSA #Snowden #rétention_de_fuites

“What’s next, Jailbreaking your Mac?”
►http://thenextweb.com/dd/2012/02/16/apples-gatekeeper-pushes-developers-toward-a-mac-app-store-future

#Apple announced an important “Security” feature: Gatekeeper. In Apple’s own words:
Now you can choose from three security options. You can download and run applications from anywhere, just as in OS X Lion. To be even safer, download and run apps from the Mac App Store and apps with a Developer ID. Or download and run only apps from the Mac App Store — the safest setting of all. #Gatekeeper lets you decide which setting is best for you.