Is Mac OS Big Sur Spying?



  • I would like to know if macOS "Big Sur" sends unencrypted OCSP requests. I am a newbie and not aware of technical stuff, but when I came across Jeffrey Paul's article, I am a bit concerned about whether to continue using Mac.



  • I would like to know if macOS "Big Sur" sends unencrypted OCSP requests.

    Likely it does. But it is not the fault of MacOS. Instead the OCSP URL in most certificates is HTTP only. Insofar a change to a different OS will not change it. It might change though what certificates are used in the first place. With checking certificates if web sites it likely makes no difference, anf OCSP is often not used in this context anyway. With checks of application signatures it can make a difference - for example Linux based systems usually don't use signed applications in the first place and thus there is also no certificate to check.

    ... but when I came across Jeffrey Paul's article, ...

    This article is a bit misleading in that it claims that information about the application used is included in the OCSP request. This is not true. For signed applications (which is what this article is about, not HTTPS in the context of web sites) the OCSP request only includes information about the developer certificate used to sign the application. See Does Apple really log every app you run? A technical look.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2