Apple memory holed its broken promise for an OCSP opt-out

Original Article ↗ Hacker News Discussion ↗

Blocking OCSP and Network Workarounds

  • Users discuss blocking Apple’s OCSP servers (ocsp2.apple.com, ocsp3, etc.) via Little Snitch; regex-style patterns are suggested if supported.
  • trustd is identified as the macOS process making OCSP requests.
  • Some note Apple apps and certain networking setups (e.g., bridged VM adapters) can bypass Little Snitch.
  • /etc/hosts is reported as unreliable for blocking, especially with Safari and iCloud Private Relay; behavior around IPv4/IPv6 is debated and partly unclear.
  • Turning off all network radios prevents OCSP checks but is seen as impractical.

Little Snitch, DNS, and Alternatives

  • Criticism that Little Snitch performs DNS resolution before the allow/deny dialog, making it weak against DNS-leak concerns.
  • A Pi-hole-based, DNS-layer blocking setup is proposed as a more robust alternative for network-wide control.

What OCSP Reveals and Risk to Typical Users

  • OCSP lets Apple see which signed apps (by developer certificate) are run from a given IP, historically in plaintext, now encrypted but still visible to Apple.
  • It’s claimed the request fires on each app launch, not just install, implying a potential (IP, app, timestamp) log.
  • One commenter questions how worrying this is for a typical user who mostly uses App Store and Homebrew; others suggest it’s more of a privacy-model concern than an immediate practical risk.

Apple’s Privacy Posture and Broken Promises

  • Strong criticism that Apple markets privacy but treats it as “privacy is when you trust Apple,” and that walking back the OCSP opt-out promise undermines trust.
  • Counterpoint: among large tech firms, Apple is seen by some as comparatively more privacy-oriented and investing in privacy tech, even if imperfect.
  • Others argue that “only one company has all your data” should not be called privacy.

Homomorphic Encryption Discussion

  • Apple’s use of homomorphic encryption for iOS 18 live caller ID lookups is noted; an SDK was announced.
  • Some see this as promising privacy tech Apple is pushing; others say it’s narrow, early, and can’t excuse not following through on simpler privacy commitments like OCSP controls.
  • It’s highlighted that homomorphic encryption is required for third‑party caller ID providers; Apple’s own features still largely rely on trusting Apple.

Security Architecture: OCSP vs Notarization

  • Clarification that OCSP checks revocation of Developer ID certificates via trustd, while notarization is a separate process using tickets signed by Apple and checked by syspolicyd/Gatekeeper.
  • Some initially conflate the two; others emphasize they are distinct security layers, both contributing to macOS’s code-trust model.

Comparisons with Other Ecosystems

  • Some users report abandoning Apple entirely over issues like OCSP and preferring all‑Linux environments, where tools like SSH don’t involve vendor-level tracking and “just work.”
  • Others note macOS also has built-in SSH but warn that enabling services without strong auth (e.g., keys/certs) can be risky.