macOS OCSP “telemetry”—Explainer and Mitigation with Noise

“Why is Apple spying on us?”

An OSCP request for a mozilla.org certificate, sent out by Firefox in plaintext, captured by Wireshark. You can query the serial number like this.

Complexity in trust

Ew, gross.
Example: My domain’s certificate was issued by Let’s Encrypt Authority X3, whose certificate was issued (cross-signed) by DST Root CA X3, whose certificate is listed in (trusted by) the root stores, all individually maintained by at least five different parties. Diagram on the right created by crt.sh.
Code signature information of trustd.
TLS certificate for ocsp.entrust.net is directing its OCSP queries to ocsp.entrust.net.
From WWDC18, I think. I miss a crowd. Any crowd.
Sending status_request extension request. The payload — Apple PKI OCSP request — gets encrypted by the TLS layer, and as of TLS 1.3, the extension response — TLS OCSP response — is also encrypted.

What can you do now?

I think the whole concern boils down to these three perspectives.

Noise. Can you spot the “real” dots?
apple-ocsp-noiser in action.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dongsung Kim

Dongsung Kim

Security Researcher || Software Developer · make break software · https://kidi.ng