undefined | Better HN

0 pointslifty5y ago0 comments

But I don't want to turn it off. I want to benefit from checking the revocation list without sending my data to Apple on every app start, even if I am vulnerable for a few hours, until my computer syncs the revocation list. I want a middle way, not an ON or OFF button.

0 comments

ArchOversight5y ago

As this article here: https://blog.jacopo.io/en/post/apple-ocsp/ showcases, Apple doesn't send "my data" on every app start.

It sends a hash of the certificate in use to Apple, which happens to be an Apple certificate that is used to sign many applications running on your system.

None of your data is being sent to Apple.

xvector5y ago

Mapping developer certificates to apps is trivial. If you’re launching a Guardian Project app, for example, it’s almost certainly Tor.

Given the presence of the NSA and their ability to send NSLs or FISA warrants, this information should not be hitting the Apple network. A CRL would have been a perfectly acceptable solution.

pseudalopex5y ago

Even the fact that I opened an app is my data.

Responses were cached for 5 minutes.[1] That's effectively checking every time.

[1] https://news.ycombinator.com/item?id=25096307

liftyOP5y ago

So it’s slightly less worse than sending the hash of the app. Still very bad. And as I said previously, depending on a network call to start any app is not ideal.

j / k navigate · click thread line to collapse