Follow

Huh, what do you know, that scaremongering article about Apple's OCSP implementation sending application hashs was inaccurate 🙃

Neither does it seem to send the ISP, city or state, by the way.

blog.jacopo.io/en/post/apple-o

From the article it seems that the OP saying that the OCSP implementation was leaking a whole bunch of things _probably_ confused the OCSP mechanism with GateKeeper? But even then I'd be very surprised if even that would send that much un-needed data.

Show thread

Like, there's plenty of things to say about macOS' being more locked down than ever (reasonably so, i'd say, but that's not the point) without having to spread FUD, quoting Richard Stallman (🤢) and acting like this is the end of the world lmao

Show thread

Final note: this is not an invitation for Linuxheads to @ me with takes such as "Apple spies on you, you should use Linux". I want an OS that (mostly) works, that's why I use macOS. I don't want to troubleshoot shit on my computer more than I already do, thx.

Show thread

@Eramdam fwiw I think the ISP, city, state thing was because knowing someone's IP is generally enough to give someone that information (with varying degrees of accuracy, of course), not because it explicitly sends that info

@hierarchon Yeah, but even then, if your ISP doesn't give you a fixed IP, this is moot. Same thing if you use a VPN.

@Eramdam jeffrey’s article doesn’t say it sends the location data. his article says that it allows for the linking of locations with requests:

Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation, and allows for a table that has the following headings: Date, Time, Computer, ISP, City, State, Application Hash

the rationale for using plaintext over http isn’t easy to explain away: if the ocsp request was obfuscated in some way, it would prevent third-parties (like your internet provider, or oppressive government) from figuring out what you’re running. nothing prevents them from building a list of developer ids.

Sign in to participate in the conversation
Octodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!