A Technical Look at the Privacy Implications of MacOS’s OCSP

Jacopo Jannone:

No, macOS does not send Apple a hash of your apps each time you run them.

You should be aware that macOS might transmit some opaque information about the developer certificate of the apps you run. This information is sent out in clear text on your network.

You shouldn’t probably block ocsp.apple.com with Little Snitch or in your hosts file.

Apple should publish information about this system in the excellent — but alas, not comprehensive — Apple Platform Security report, including a clear statement regarding whether they keep logs of these checks. I’m guessing they do not — why would they? — but it would be good to be able to point to a clear statement.

Saturday, 14 November 2020