Apple Addresses Last Week’s OCSP Server Failure and Related Privacy Concerns

Apple updated its “Safely Open Apps on Your Mac” support document, in response to last week’s server failure and the ensuing privacy concerns:

We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices. These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.

In addition, over the the next year we will introduce several changes to our security checks:

  • A new encrypted protocol for Developer ID certificate revocation checks

  • Strong protections against server failure

  • A new preference for users to opt out of these security protections

They posted this update over the weekend.

Monday, 16 November 2020