August 7 2024
When you launch an app, macOS connects to Apple's OCSP service to check whether the app's Developer ID code signing certificate has been revoked by Apple. In November 2020, Apple's OCSP service experienced a mass outage, preventing Mac users worldwide from launching apps. In response and remedy to this outage, Apple made several explicit promises to Mac users in a support document, which can still be seen in a Wayback Machine archive from September 24, 2023.
To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the the next year we will introduce several changes to our security checks:
- A new encrypted protocol for Developer ID certificate revocation checks
- Strong protections against server failure
- A new preference for users to opt out of these security protections
The last item, "A new preference for users to opt out of these security protections", has never been implemented in macOS, and two years ago I wrote that Apple reneged on OCSP privacy.
Now I've discovered that on September 26, 2023, the day that macOS 14 Sonoma was released to the public, Apple erased its promise from the support document. This can also be seen with the Wayback Machine.
Oddly, the original support document URL https://support.apple.com/en-us/HT202491 now redirects to a slightly different support document URL https://support.apple.com/en-us/102445, though the content of the two documents remains mostly the same.
Apple's broken promise is shameful. The company apparently hopes we forget that it ever made the promise. Apple talks a good game, claiming "privacy is a fundamental human right", yadda yadda, but talk is cheap. When it comes to our right to stop our devices from phoning home to Cupertino, Apple is not interested. And if we can't trust Apple to keep its promises, then why should we trust anything else that Apple says, such as that our IP addresses are not logged? After all, it's impossible for us to verify this from the outside. Trust is earned through actions, and in this case Apple has neglected to act.
At this point, the only way to protect your own privacy is to use a firewall such as Little Snitch to block the connections.