←back to thread

MacOS Catalina: Slow by Design?

(sigpipe.macromates.com)
2031 points jrk | 1 comments | 22 May 20 15:39 UTC | HN request time: 0s | source
Show context
usmannk ◴[22 May 20 19:25 UTC] No.23275922[source]
It seems like there is a lot of confusion here as to whether this is real or not. I've been able to confirm the behavior in the post by:

- Using a new, random executable. Even echo $rand_int will work. Edit: What I mean here is generate your rand int beforehand and statically include it in your script.

- Using a fresh filename too. Just throw a rand int at the end there. e.g. /tmp/test4329.sh

I MITMd myself while recording the network traffic and, sure enough, there is a request to ocsp.apple.com with a hash in the URL path and a bunch of binary data in the response body. Unsure what it is yet but the URL suggests it is generating a cert for the binary and checking it. See: https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...

Here's the URL I saw:

http://ocsp.apple.com/ocsp-devid01/ME4wTKADAgEAMEUwQzBBMAkGB...

Edit2: Anyone know what this hash format is? It's not quite base64, nor is it multiple base64 strings separated with '+'s but it seems similar...

Edit3: Here is the exact filename and file I used: https://gist.github.com/UsmannK/abb4b239c98ee45bdfcc5b284bf0...

Edit4 (final one probably...): On subsequent attempts I'm only seeing a request to https://api.apple-cloudkit.com and not the OCSP one anymore. Curiously, there's no headers at all. It is just checking for connectivity.

replies(13): >>23275956 #>>23276180 #>>23277591 #>>23277808 #>>23278027 #>>23278103 #>>23278258 #>>23278367 #>>23278388 #>>23279695 #>>23281103 #>>23284359 #>>23420492 #
pinopinopino ◴[23 May 20 08:24 UTC] No.23281103[source]
God, this shit makes me laugh. Why are they doing this.

But from Edit2: Your hash is some sort of base64

     let str =
"ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e_baLCFIU0u76+MSmlkPCpsBBRXF+2iz9x8mKEQ4Py+hy0s8uMXVAIIfYbtkeEKZsI="

Then we see weird random gaps in the alphabet used, not so weird, because not every character will be used in every string:

     Prelude Data.List> map head $  group $ sort $ str
     "+0246789=ABCDEFGIKLMOPQRSTUVXYZ_abefghiklmpstuwxyz"
If we fill these up then:

      Prelude Data.List> let xs = "+0123456789=ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz"
      Prelude Data.List> length xs
      65
So base64 with some non standard symbols. I don't know what standard base64 is supposed to look to be honest, so perhaps it is standard base64. The = is definitely padding.
replies(1): >>23281414 #
1. saagarjha ◴[23 May 20 09:15 UTC] No.23281414[source]
It decodes cleanly as base64.