Il giorno 15 nov 2020, alle ore 09:44, nexa-request@server-nexa.polito.it ha scritto:

Message: 4
Date: Sun, 15 Nov 2020 08:44:51 +0000
From: Alberto Cammozzo <ac+nexa@zeromx.net>
To: Stefano Quintarelli <stefano@quintarelli.it>, Nexa
<nexa@server-nexa.polito.it>
Subject: Re: [nexa] Jeffrey Paul: Your Computer Isn't Yours
Message-ID: <63D56C0D-FEA8-42EC-A210-4D6D54A4E4BF@zeromx.net>
Content-Type: text/plain; charset="utf-8"

Non saprei. 
Segnalo un commento che farebbe pensare di no. 
Se la sicurezza viene centralizzata diventa censura, anche concedendo che non sia censura by design...

Does Apple really log every app you run? A technical look

<https://blog.jacopo.io/en/post/apple-ocsp/>

Apple?s launch of macOS Big Sur was almost immediately followed by server issues which prevented users from running third-party apps on their computers. While a workaround was soon found by people on Twitter, others raised some privacy concerns related to that issue.

   Hey Apple users:

   If you're now experiencing hangs launching apps on the Mac, I figured out the problem using Little Snitch.

   It's trustd connecting to https://t.co/FzIGwbGRan

   Denying that connection fixes it, because OCSP is a soft failure.

   (Disconnect internet also fixes.) pic.twitter.com/w9YciFltrb
   ? Jeff Johnson (@lapcatsoftware) November 12, 2020

What is OCSP?

OCSP stands for Online Certificate Status Protocol1. As the name implies, it is used to verify the validity of a certificate without having to download and scan large certificate revocation lists. macOS uses OCSP to make sure that the developer certificate hasn?t been revoked before an app is launched.

As Jeff Johnson explains in his tweet above, if macOS cannot reach Apple?s OCSP responder it skips the check and launches the app anyway - it is basically a fail-open behaviour. The problem is that Apple?s responder didn?t go down; it was reachable but became extremely slow, and this prevented the soft failure from triggering and giving up the check.

It is clear that this mechanism requires macOS to contact Apple before an app is launched. The sudden public awareness of this fact, brought about by Apple?s issues, raised some privacy concerns and a post from security researcher Jeffrey Paul2 became very popular on Twitter. He claims that

   In the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it.

That would be creepy indeed.

To make things worse, it is common for OCSP to use HTTP - I?m talking about good old plaintext HTTP on port 80, none of that HTTPS rubbish. There is usually a good reason for this, that becomes especially clear when the OCSP service is used for web browsers: preventing loops. If you used HTTPS for checking a certificate with OCSP then you would need to also check the certificate for the HTTPS connection using OCSP. That would imply opening another HTTPS connection and so on.

Of course while OCSP does not mandate encryption, it does require that responses are signed by the server. This still doesn?t solve the initial concern that anyone with a traffic analyzer on your network could evasdrop every app you open and when you open it.
Diving deeper

Knowing some OCSP basics, more questions arise. OCSP is about checking certificates; why should this have anything to do with sending out hashes of apps you run? Does macOS really compute the hash of each executable at each launch? What about very large ones? That would take a significant amount of time; is it possible that nobody noticed? Maybe the hash is computed only once (e.g. the first time you run the app) and it is stored somewhere. But I?m not convinced and I think these claims needs more research.[...]

On November 14, 2020 9:53:31 PM UTC, Stefano Quintarelli <stefano@quintarelli.it> wrote:

ciao,
non c'e' un setting nel sistema operativo per dire "non mandare info a 
apple" ?
ciao, s.

On 14/11/2020 22:31, Alberto Cammozzo via nexa wrote:

<https://sneak.berlin/20201112/your-computer-isnt-yours/ 
<https://sneak.berlin/20201112/your-computer-isnt-yours/>>

Your Computer Isn't Yours
12 November 2020


It?s here. It happened. Did you notice?

I?m speaking, of course, of the world that Richard Stallman predicted

in 

1997. The one Cory Doctorow also warned us about.

On modern versions of macOS, you simply can?t power on your computer,

launch a text editor or eBook reader, and write or read, without a

log 

of your activity being transmitted and stored.

It turns out that in the current version of the macOS, the OS sends

to 

Apple a hash (unique identifier) of each and every program you run,

when 

you run it. Lots of people didn?t realize this, because it?s silent

and 

invisible and it fails instantly and gracefully when you?re offline,

but 

today the server got really slow and it didn?t hit the fail-fast code

path, and everyone?s apps failed to open if they were connected to

the 

internet.

Because it does this using the internet, the server sees your IP, of 
course, and knows what time the request came in. An IP address allows

for coarse, city-level and ISP-level geolocation, and allows for a

table 

that has the following headings:

Date, Time, Computer, ISP, City, State, Application Hash

Apple (or anyone else) can, of course, calculate these hashes for

common 

programs: everything in the App Store, the Creative Cloud, Tor

Browser, 

cracking or reverse engineering tools, whatever.

This means that Apple knows when you?re at home. When you?re at work.

What apps you open there, and how often. They know when you open 
Premiere over at a friend?s house on their Wi-Fi, and they know when

you 

open Tor Browser in a hotel on a trip to another city.

?Who cares?? I hear you asking.
[...]

_______________________________________________
nexa mailing list
nexa@server-nexa.polito.it
https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa

-- 
reserve your meeting with me at https://cal.quintarelli.it