Yes but Apple keeps track of the application you open and sends that data through 3rd parties unencrypted.
Imagine you open Tor in your mac, Apple will send a request with Date, Time, Computer, ISP, City, State and Application Hash through the open internet for everyone that listens.
That by itself is not very interesting but if you combine that with all the other data hoarding that happens it can trace back to you.
This is completely false, Jeffrey Paul was extremely dishonest about the location data which is not sent at all, and he misunderstood how OSCP works. It doesn’t send the hash of the binary. Others have cleared this up and Apple released a statement.
It's not false except in some insignificant details. The OCSP request still tells Apple the developer ID, which for some software is just as revealing.
For the Tor Browser, the developer ID used with OCSP is:
The Tor Project, Inc (MADPSAYN6T)
That's certainly enough to tell Apple you are running Tor Browser, Tor itself, or something else from the Tor project!
Also that's only OCSP which runs often. Gatekeeper also runs, though only the first time each new executable is run. Gatekeeper does tell Apple the hash of the application. That will show up each time you run it after updating to a new version.
The stuff about street address etc is wrong, but not completely wrong. Because the request is sent when you open the application, as a side effect it reveals your approximate location (to anyone third-party eavesdroppers not just Apple) and an accurate timestamp, of the moment when you opened Tor.
Of course anyone eavesdropping nearby can detect the Tor traffic itself. However, only on the paths used to the Tor exit node. Separate from the Tor traffic, Apple and any routers along the path to Apple (e.g. "great firewall") can identify devices running Tor from far away, even if they don't have direct evidence of Tor traffic from those devices. I think it quite likely that CCP (among others) will be logging these OCSP requests at the great firewall already.
> the data sent to Apple’s OCSP server contains information relating to an app’s developer but not the app itself. It adds that Apple’s Gatekeeper service can send the hash of an executable, but that this is separate to OCSP and happens over an encrypted connection. Apple’s own support page notes that Gatekeeper uses “an encrypted connection that is resilient to server failures.”
> In its updated support document, Apple makes clear that security checks it makes when authenticating software do not include a user’s Apple ID or device identity. The company also says it’s stopped logging IP addresses associated with the Developer ID certificate checks. “We have never combined data from these checks with information about Apple users or their devices,” writes the iPhone-maker. “We do not use data from these checks to learn what individual users are launching or running on their devices.”
It doesn’t send any of that geo location data, which is not an insignificant detail. That’s an egregious claim and he just made it up, and now people are repeating it everywhere.
It doesn’t send a text string of the developer ID. It sends the thumbprint for the certificate. That’s still some information that could be used indirectly to determine some apps that may be running, but you’d have to at least collect a mapping database by sampling common apps.
Most importantly, it doesn’t even try to explain what OSCP is. This is critical in order to understand the purpose. Without that, and with the other false or misleading info, it looks like this literally exists for the purpose of tracking your every move and what apps you use. But that isn’t what it is at all. It’s a good faith malware protection feature that has some potentially unwanted side effects that have privacy implications, and even those implications are substantially less than what is claimed.
There are legitimate privacy concerns with OSCP but I feel that it’s important to represent the situation accurately. This is an off the shelf revocation checking protocol that was implemented to the spec. We should pressure them to improve it (which sounds like it already happened, a very positive sign) but it’s unhelpful to paint them as villains over it for following a standard and not even keeping any of the data that is sent back.
You’re correct that the notarization check has a hash, but that’s not what he was talking about. Also, that’s sent once and encrypted I believe.
