←back to thread

MacOS Catalina: Slow by Design?

(sigpipe.macromates.com)
2031 points jrk | 9 comments | 22 May 20 15:39 UTC | HN request time: 0s | source | bottom
Show context
usmannk ◴[22 May 20 19:25 UTC] No.23275922[source]
It seems like there is a lot of confusion here as to whether this is real or not. I've been able to confirm the behavior in the post by:

- Using a new, random executable. Even echo $rand_int will work. Edit: What I mean here is generate your rand int beforehand and statically include it in your script.

- Using a fresh filename too. Just throw a rand int at the end there. e.g. /tmp/test4329.sh

I MITMd myself while recording the network traffic and, sure enough, there is a request to ocsp.apple.com with a hash in the URL path and a bunch of binary data in the response body. Unsure what it is yet but the URL suggests it is generating a cert for the binary and checking it. See: https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...

Here's the URL I saw:

http://ocsp.apple.com/ocsp-devid01/ME4wTKADAgEAMEUwQzBBMAkGB...

Edit2: Anyone know what this hash format is? It's not quite base64, nor is it multiple base64 strings separated with '+'s but it seems similar...

Edit3: Here is the exact filename and file I used: https://gist.github.com/UsmannK/abb4b239c98ee45bdfcc5b284bf0...

Edit4 (final one probably...): On subsequent attempts I'm only seeing a request to https://api.apple-cloudkit.com and not the OCSP one anymore. Curiously, there's no headers at all. It is just checking for connectivity.

replies(13): >>23275956 #>>23276180 #>>23277591 #>>23277808 #>>23278027 #>>23278103 #>>23278258 #>>23278367 #>>23278388 #>>23279695 #>>23281103 #>>23284359 #>>23420492 #
kccqzy ◴[22 May 20 19:30 UTC] No.23275956[source]
OCSP is Online Certificate Status Protocol, generally used for checking the revocation status of certificates. You used to be able to turn it off in keychain access, but that ability went away in recent macOS releases.
replies(1): >>23276763 #
VonGuard ◴[22 May 20 20:45 UTC] No.23276763[source]
Ah, Apple. When you can no longer innovate, just start removing features and call it simplicity...
replies(4): >>23277034 #>>23277355 #>>23277462 #>>23279640 #
throwaway851 ◴[22 May 20 21:50 UTC] No.23277462[source]
Another way to look at it is that Apple is making it harder to run the system in an insecure fashion. You may not agree with that decision, but I certainly appreciate how Apple is looking out for the safety and security of the user.

Tangent: as much as some developers hate that the only way to distribute apps for the iPhone is through the App Store, as a user I consider that walled garden of apps to be a real security benefit. When John Gruber says “If you must use Zoom or simply want to use it, I highly recommend using it on your iPad and iPhone only. The iOS version is sandboxed and reviewed by the App Store.” There’s a reason why he can say things like that and it’s because Apple draws a hard line in the sand that not everyone will be happy with.

replies(8): >>23277588 #>>23278246 #>>23278605 #>>23278675 #>>23278822 #>>23279704 #>>23279782 #>>23282372 #
43920 ◴[22 May 20 22:03 UTC] No.23277588[source]
Wouldn't a sandboxed Zoom downloaded directly from them be equally secure?
replies(3): >>23277675 #>>23279413 #>>23279762 #
Retric ◴[22 May 20 22:13 UTC] No.23277675[source]
Apple’s rejected a huge number of App updates for security reasons. It’s not a huge benefit, but it does exist.
replies(1): >>23277788 #
cliffsteele ◴[22 May 20 22:27 UTC] No.23277788[source]
And also allowed a jailbreak app in the iOS App Store. Yes, it only happened once (that I know of), but it still shows you can't really be oblivious to their practices.
replies(1): >>23278185 #
colejohnson66 ◴[22 May 20 23:16 UTC] No.23278185[source]
So out of the millions of apps on the App Store, they slipped up once? Sounds like a really good success rate.
replies(1): >>23278268 #
saagarjha ◴[22 May 20 23:26 UTC] No.23278268[source]
That's just the one jailbreak that ended up in the news. There's been many other of bad things that have been pulled.
replies(1): >>23278496 #
1. cmdshiftf4 ◴[22 May 20 23:59 UTC] No.23278496[source]
>been many other of bad things that have been pulled

A jailbreak app making it to the app store being bad, and "apple's walled gardens are bad", are fundamentally incompatible.

replies(2): >>23278837 #>>23279415 #
2. jasonlotito ◴[23 May 20 01:02 UTC] No.23278837[source]
Jailbreak apps are bad for Apple. Walled gardens are bad for users. It's not complicated.
replies(1): >>23279279 #
3. neotek ◴[23 May 20 02:24 UTC] No.23279279[source]
I, a user, am extremely appreciative of Apple's walled garden. I've never once had to worry that the app I'm downloading is crammed full of malware because I trust that Apple's processes are robust and will work well in 99.999% of all circumstances.
replies(2): >>23279616 #>>23279651 #
4. saagarjha ◴[23 May 20 02:52 UTC] No.23279415[source]
Apple can be bad at doing what they claim to be doing and also be doing the wrong things. The nice way this works is that Apple curates a bunch of software they think is safe, and I can run whatever I want on my device. The worst of both worlds is that I can't run what I want, but sometimes malicious things get through Apple's checks.
5. davrosthedalek ◴[23 May 20 03:27 UTC] No.23279616{3}[source]
A walled garden is not the same as a curated app store. You could have the same benefit if apple would allow non-app-store apps to be installed after flipping a switch, tethering with a Mac or some other voodoo.
replies(1): >>23280368 #
6. friendlybus ◴[23 May 20 03:34 UTC] No.23279651{3}[source]
People who are precious about security never obtain apps that aren't generally approved and vetted by professionals anyway. Forcing this deciscion onto everybody is just going to push the people who want a free and open platform into places you dont want them. The benefits of openness don't go away just because apple said so.
replies(2): >>23279990 #>>23280346 #
7. LaGrange ◴[23 May 20 04:49 UTC] No.23279990{4}[source]
We get Zoom, we used to install Java (remember when it was bundled with crapware in hope you'll forget to uncheck a checkbox?). Companies routinely strong-armed users into getting malware. And I doubt popular game mods are all that strongly reviewed by security experts, but are quite popular with tech people.

App Store policies are a poor replacement for collective action, of course, but let's not pretend we can just become immune to hostile by sheer force of will.

8. neotek ◴[23 May 20 06:00 UTC] No.23280346{4}[source]
I care about security, but that doesn't preclude me from jailbreaking my iphone and running dozens of tweaks that haven't been "vetted by professionals", along with sideloaded apps that haven't been through Apple's vetting process either.

My MacBook runs homebrew which currently lists 84 packages installed plus their dependencies, very few of which will have been professionally vetted, and of the 127 apps in my /Applications folder only a third of them came from the Mac App Store, and I would estimate that a quarter of the others aren't even signed with a paid developer certificate.

I want the apps that I get from Apple directly to be safe. I want to know that when I put my faith in the App Store that I'm not lulling myself into a false sense of security. I want my parents and girlfriend, who are not technical people, to have that same sense of security without them having to learn entire programming languages to vet source code themselves.

The benefits of closed systems don't go away just because you say so.

9. neotek ◴[23 May 20 06:05 UTC] No.23280368{4}[source]
Apple does give you the ability to install non-app-store apps (some without tethering), e.g. sideloading or enterprise certificates, although I agree it's not as easy as flipping a switch.

They should also provide a way to downgrade iOS via Xcode for those with a dev account, but that's another story.