https://tinyurl.com/rossmatrixLet's get Right to Repair passed! https://gofund.me/1cba2545👉 https://sneak.berlin/20201112/your-computer-isnt-yours/👉 This v...
A throwback to remind ourselves that apple is terrible for privacy
The author comments to the blog post you linked and it partially makes sense: if you fetch the developer’s certificate, Apple knows when you started an application of that developer (and which public IP address you have).
Whether or not there are many devs that only made one application, so you can identify this, I cannot estimate, I’m not an Apple user. But you don’t need to send a hash calculated in client side to get this info.
You’re absolutely right that it’s still an issue to transmit information about the developer certificate. Apple published a response to this, which admittedly is not ideal:
We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the the next year we will introduce several changes to our security checks:
A new encrypted protocol for Developer ID certificate revocation checks
Strong protections against server failure
A new preference for users to opt out of these security protections
The video is basically some dude reading a blog post (boy, I hate those, provide no value). The blog post he reads is this: https://sneak.berlin/20201112/your-computer-isnt-yours/
The author comments to the blog post you linked and it partially makes sense: if you fetch the developer’s certificate, Apple knows when you started an application of that developer (and which public IP address you have).
Whether or not there are many devs that only made one application, so you can identify this, I cannot estimate, I’m not an Apple user. But you don’t need to send a hash calculated in client side to get this info.
You’re absolutely right that it’s still an issue to transmit information about the developer certificate. Apple published a response to this, which admittedly is not ideal:
https://support.apple.com/en-us/HT202491#view:~:text=Privacy protections
We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the the next year we will introduce several changes to our security checks:
A new encrypted protocol for Developer ID certificate revocation checks
Strong protections against server failure
A new preference for users to opt out of these security protections
I mean that sounds like a pretty good response to me