Apple reneged on OCSP privacy

June 13 2022 by Jeff Johnson

The incident I refer to as the Mac OCSP appocalypse occurred in November 2020. Apple's Developer ID Online Certificate Status Protocol (OCSP) service went down, which caused Mac users worldwide to experience issues with launching their apps. I was among the first to discover the cause of this app launching issue. In response to the Mac OCSP appocalypse, Apple promised several changes.

In addition, over the the next year we will introduce several changes to our security checks:

(The "the the" above is Apple's typo, not mine.)

The first change was accomplished: macOS switched from using the unencrypted http service to the new encrypted https service. This has been confirmed on Big Sur and Monterey. (I assume but haven't confirmed that it continues to be true of Ventura.)

It's impossible for us on the outside to verify whether the second change was accomplished, so I have nothing to say about that.

The third change, a new preference for users to opt out, is still nowhere to be found, not even in the new macOS 13 Ventura beta. The System Preferences app itself has been redesigned and renamed on Ventura, yet the promised new preference is missing, more than a year and half after Apple made these promises. Apple's support document says "Published Date: April 30, 2021" for some reason (maybe just the date of some revisions), but the promises were originally published in November 2020, so they ought to have been fulfilled by November 2021, according to Apple's own stated timeline.

Since the Mac OCSP appocalypse, which occurred on the day that macOS 11 Big Sur was released, we've now seen two major updates — macOS 12 Monterey and macOS 13 Ventura — that have both failed to fulfill Apple promise for an opt out preference.

Apple, what's the deal? Do Apple executives think we would just forget about this? I haven't forgotten.

Jeff Johnson (My apps, PayPal.Me)