Most active commenters
  • userbinator(3)
  • pjmlp(3)

←back to thread

MacOS Catalina: Slow by Design?

(sigpipe.macromates.com)
2031 points jrk | 18 comments | 22 May 20 15:39 UTC | HN request time: 0.001s | source | bottom
Show context
usmannk ◴[22 May 20 19:25 UTC] No.23275922[source]
It seems like there is a lot of confusion here as to whether this is real or not. I've been able to confirm the behavior in the post by:

- Using a new, random executable. Even echo $rand_int will work. Edit: What I mean here is generate your rand int beforehand and statically include it in your script.

- Using a fresh filename too. Just throw a rand int at the end there. e.g. /tmp/test4329.sh

I MITMd myself while recording the network traffic and, sure enough, there is a request to ocsp.apple.com with a hash in the URL path and a bunch of binary data in the response body. Unsure what it is yet but the URL suggests it is generating a cert for the binary and checking it. See: https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...

Here's the URL I saw:

http://ocsp.apple.com/ocsp-devid01/ME4wTKADAgEAMEUwQzBBMAkGB...

Edit2: Anyone know what this hash format is? It's not quite base64, nor is it multiple base64 strings separated with '+'s but it seems similar...

Edit3: Here is the exact filename and file I used: https://gist.github.com/UsmannK/abb4b239c98ee45bdfcc5b284bf0...

Edit4 (final one probably...): On subsequent attempts I'm only seeing a request to https://api.apple-cloudkit.com and not the OCSP one anymore. Curiously, there's no headers at all. It is just checking for connectivity.

replies(13): >>23275956 #>>23276180 #>>23277591 #>>23277808 #>>23278027 #>>23278103 #>>23278258 #>>23278367 #>>23278388 #>>23279695 #>>23281103 #>>23284359 #>>23420492 #
kccqzy ◴[22 May 20 19:30 UTC] No.23275956[source]
OCSP is Online Certificate Status Protocol, generally used for checking the revocation status of certificates. You used to be able to turn it off in keychain access, but that ability went away in recent macOS releases.
replies(1): >>23276763 #
VonGuard ◴[22 May 20 20:45 UTC] No.23276763[source]
Ah, Apple. When you can no longer innovate, just start removing features and call it simplicity...
replies(4): >>23277034 #>>23277355 #>>23277462 #>>23279640 #
throwaway851 ◴[22 May 20 21:50 UTC] No.23277462[source]
Another way to look at it is that Apple is making it harder to run the system in an insecure fashion. You may not agree with that decision, but I certainly appreciate how Apple is looking out for the safety and security of the user.

Tangent: as much as some developers hate that the only way to distribute apps for the iPhone is through the App Store, as a user I consider that walled garden of apps to be a real security benefit. When John Gruber says “If you must use Zoom or simply want to use it, I highly recommend using it on your iPad and iPhone only. The iOS version is sandboxed and reviewed by the App Store.” There’s a reason why he can say things like that and it’s because Apple draws a hard line in the sand that not everyone will be happy with.

replies(8): >>23277588 #>>23278246 #>>23278605 #>>23278675 #>>23278822 #>>23279704 #>>23279782 #>>23282372 #
userbinator ◴[22 May 20 23:23 UTC] No.23278246[source]
Another way to look at it is that Apple is making it harder to run the system in an insecure fashion. You may not agree with that decision, but I certainly appreciate how Apple is looking out for the safety and security of the user.

"Those who give up freedom for security deserve neither."

(Yes, I know the original intent was slightly different, but that old saying has gotten a lot more vivid recently, as companies are increasingly using the excuse of security to further their own interests and control over their users.)

The ability to control exactly what millions of people can or cannot run on "their" computers is an authoritarian wet dream. People may think Apple's interests aligns with theirs --- but that is not a certainty. How many times have you been stopped from doing what you wanted to because of Apple? It might not be a lot so far, but can you break free from that relationship when/if it does turn against you?

replies(4): >>23278364 #>>23278968 #>>23279076 #>>23280221 #
1. roenxi ◴[23 May 20 01:26 UTC] No.23278968[source]
The quote isn't at all relevant to technical decisions though. Eg, there is enforcement that a program can't arbitrarily access any RAM it likes on the same machine. That is trading freedom for security and it is a good trade. And there isn't really an argument against gatekeeping software - users as a body don't have time to verify that the software they use is secure. I'd be shocked if the median web developer even reads up on all the CVEs for their preferred libraries. Gatekeepers are an overwhelmingly good idea for typical don't-care everyday users.

The issue is if it becomes practically impossible to move away from Apple to an alternative. Given that they have a pretty typical market share in absolute terms that doesn't seem like a risk right now. They don't even hold an absolute majority in what I assume is their strongest market, the US, let alone globally.

replies(2): >>23279239 #>>23296732 #
2. Wowfunhappy ◴[23 May 20 02:17 UTC] No.23279239[source]
Of course it's relevant! Software is a form of expression. Apple controls what types of expression are allowed on your phone.

A developer made a game depicting bad practices at FoxConn. Apple removed it for "Objectionable Content"[1]. How is this inherently different from Apple saying you can't use your iPhone to read a certain book?

Apple's restrictions also make it easy for authoritarian governments to ban software they dislike: https://news.ycombinator.com/item?id=21210678

[1] https://www.theverge.com/2012/10/12/3495466/apple-bans-anoth...

replies(2): >>23279395 #>>23280733 #
3. roenxi ◴[23 May 20 02:46 UTC] No.23279395[source]
It is identical, and if I considered my phone to be primarily a research platform I'd be really upset. I got really upset with YouTube mucking around curating what videos they allow on their platform because I want to choose my own videos.

But ultimately I own an iPhone because I need a GPS map, SIM card and web browser on the go. Apple doesn't exercise any creative control over those things. Apart from that they explicitly sell a highly curated platform. I expect them to make decisions I don't agree with; that is what curators do. That is the service they sell so I'm not going to complain.

If someone used that walled garden approach on my PC I'd be furious. On my phone, I give them hundreds of dollars for the privilege. If I were going to get upset about freedom and phones, which is reasonable, I have a loooong list of problems before I get to Apple's security model - starting with government interception of messages and moving down to having my name attached to my SIM card. Apple's activities don't really rate, and they have better incentives than Google.

PS. I'm not arguing against phones being scary. Look at the COVID tracking apps that some companies and governments are bringing out that might become mandatory one day. Or the way the US is known to use phone GPS to target drone strikes. Phones are terrifying. Apple's curating/censorship/what have you really doesn't rate on my threat model when dealing with a phone.

replies(2): >>23279520 #>>23282378 #
4. userbinator ◴[23 May 20 03:09 UTC] No.23279520{3}[source]
If someone used that walled garden approach on my PC I'd be furious.

As this article shows, Apple is slowly moving in that direction for their PCs. They aren't going to be satisfied with locking down their phones only.

replies(1): >>23284501 #
5. pjmlp ◴[23 May 20 07:20 UTC] No.23280733[source]
Not at all, you are always free to buy computers, phones and tablets from other vendor.

Don't go buy Apple and then cry in the corner that you aren't getting the right set of toys to play with.

I use Apple devices and fully support don't having random app uploading my stuff into the world.

replies(2): >>23281182 #>>23285919 #
6. pinopinopino ◴[23 May 20 08:36 UTC] No.23281182{3}[source]
Sure, you can buy whatever you want, you aren't living in a dictatorial country. Sadly enough, most people can't say this. Therefore it is important for you to fight decisions like this. If something doesn't exist, it cannot be abused by some regime.

I am going to say something very cynical now, if the reader doesn't like that, he should tune out now. But I guess Apple can't wait to have that special China deal. ^_^

replies(1): >>23281371 #
7. pjmlp ◴[23 May 20 09:08 UTC] No.23281371{4}[source]
Except Apple isn't a dictatorial country, and there are other computer vendors to choose from.

Apple isn't Mafia, doing personal visits while giving advices to buy Apple computers otherwise accidents do happen.

Buying an Apple computer is a conscious decision.

I love how many around here make their decisions, and then feel entitled to complain and point the finger to big corporations, as if these corporations are the only ones to blame and they poor souls were mislead.

replies(2): >>23281731 #>>23282806 #
8. pg-gadfly ◴[23 May 20 10:17 UTC] No.23281731{5}[source]
Buying a house and suddenly getting your water cut off because the county"doesent feel like it" is also similarily a "conscious" decision, and similarily bites you only a time after you bought something.

You might say that's illegal, and I'd recommend thinking about why that has become the way it is. Things are deemed important to everyday life, and suddenly they aren't free game.

replies(1): >>23281809 #
9. pjmlp ◴[23 May 20 10:36 UTC] No.23281809{6}[source]
Which fails again as an example, because legally is not the same thing.
replies(1): >>23282858 #
10. davrosthedalek ◴[23 May 20 12:28 UTC] No.23282378{3}[source]
Last time I checked, they force you to use the safari engine for your web browser on IOS. Also having a curated app store doesn't mean they have to disallow any other means of installing software. It's even ok if they say: You installed other software, no support for you. But making it not possible is a money grab.
11. pinopinopino ◴[23 May 20 13:35 UTC] No.23282806{5}[source]
Multinationals are not countries, but they are operating in multiple countries and there actions can have influence on the people in those countries. If Apple makes it possible to stop certain software to be installed then China can abuse the mechanism.

And I am entitled to complain about big corporations. That is the beauty if you life in a free country and even if it wasn't free to complain about them, I still would do it.

I rather see them all burn today than tomorrow.

12. pg-gadfly ◴[23 May 20 13:41 UTC] No.23282858{7}[source]
It's can vs. can't, which is perfectly comparable, in both cases you cant know what you get until afterwards, which is not acceptable. When the freedom to use the your own devices is in question, it needs to be addressed.

Shifting the blame onto the victims by saying they should have known the county can do that, is just sheltering yourself from the uncomfortable truth.

I don't want to feel like I'm being taken advatage of either, believe me. It's just better to fight back than let it roll over you.

13. kiawe_fire ◴[23 May 20 16:58 UTC] No.23284501{4}[source]
Are they really moving in that direction, though?

An App Store from which you can download software with confidence is a pretty sensible first step for most users.

Complementing that with a Notarization service for apps that can't live in the App Store, while still giving both users and developers confidence that the user is installing the "real" app, and not something malicious, seems like a pretty sensible way to protect most users outside the App Store.

And if all else fails, there are ways to allow running that un-Notarized, non-App Store app that you're sure you trust.

None of that seems like something that inherently means to take away your ability to run what you want on your PC, it just sounds like a common sense approach to giving your users confidence in what they run, and guiding them to do so safely by default, while allowing overrides as needed.

Are these ALSO things that Apple could use to lock down your PC completely?

Sure... but then, why bother with any of it if that was the intent?

They already have Mac App Store, and they already have the infrastructure to deal with a "whitelist only" approach, so why bother with this Notarization and Gatekeeper stuff at all?

Don't get me wrong, there's plenty of room to criticize Apple for their implementation. They are clearly figuring out some of this as they go, and trying to find a proper balance. That isn't easy, despite how many people make it out like it is.

Give the average user too many prompts or chances to override security, and they will do that, every time, without thinking it through.

On the other hand, bury the overrides too deeply, and risk making things miserable for the developers and power users who need to use your platform freely.

So far, I see only evidence that Apple is trying to find that balance, but no evidence that they intend to lock the entire platform down entirely.

Are they doing it perfectly? Clearly not. But I think if we're being honest, no other platform has either. I appreciate Apple's approach the most so far, but time will tell if they are able to figure this balance out or if another platform will at some point.

replies(1): >>23284711 #
14. vetinari ◴[23 May 20 17:22 UTC] No.23284711{5}[source]
> They already have Mac App Store, and they already have the infrastructure to deal with a "whitelist only" approach, so why bother with this Notarization and Gatekeeper stuff at all?

Change management. For the same reason why Ebay had to backtrack changing their background color and do it again, slowly.

replies(1): >>23292824 #
15. userbinator ◴[23 May 20 20:06 UTC] No.23285919{3}[source]
When they force their proprietary standards on everyone else... https://news.ycombinator.com/item?id=23250831
replies(1): >>23289978 #
16. saagarjha ◴[24 May 20 08:01 UTC] No.23289978{4}[source]
Apple was the first major HEIC adopter, but it’s not really something proprietary they came up with: https://en.wikipedia.org/wiki/High_Efficiency_Image_File_For...
17. kiawe_fire ◴[24 May 20 16:59 UTC] No.23292824{6}[source]
That's certainly possible.

But as someone who has been using Macs on and off for about 10 years now, I've heard people shout that Apple was locking down Macs from the moment the App Store was created on iOS (and long before it came to MacOS). So far, that hasn't happened.

Is it possible this is the next step in a 10+ years plan to "boil the frog slowly"? Of course! Not sure how they would accomplish this without also losing the developers they need to continue making both MacOS and iOS viable platforms for users, but I guess if they just don't care and want to lock everything down, this could certainly be one more step towards their long term nefarious goal.

But it also still seems like a reasonable step towards making their platform more trusted and secure for the average user while continuing to give devs and power users control.

So far, I see no evidence for the former, and enough evidence for the later, that I'm not too worried.

18. ecnahc515 ◴[25 May 20 01:22 UTC] No.23296732[source]
I agree. I'd take your point on gatekeepers being a good idea further.

Gatekeepers are a good idea for even experts. There's a reason it's still in your best interest to use battle tested crypto libraries instead of writing your own, even if you're a security expert. The reason stands that it's possible for experts to make mistakes, which is why auditing is so important.

Now for this to hold, we need to assume Apple has done a good job with their notarization system, and that it's regularly audited to ensure it's not causing too many issues.

In this case, I trust Apple isn't doing these things to make developers life harder. They're doing it because it's incredibly difficult to make something both ergonomic for experts (developers) and secure/safe for non-experts (average end-users), and they would rather ship something less-than-perfect for developers if it's going to help non-developers.