Why your Mac stopped working on Thursday afternoon

Why your Mac stopped working on Thursday afternoon

Apple released the latest update to its operating system software, Big Sur, on Thursday afternoon. Right around the same time, Mac users across the Internet started complaining that programs were taking a long time to open – or not opening at all. This was happening even if they hadn’t tried upgrading to Big Sur and were just going about their day-to-day work.

While people joked that Apple was slowing down their devices to get them to upgrade, the reality was more insidious. One of Apple’s servers was having some trouble – like when you try to go to a website and it’s really slow or gives you an error. Except this server having issues impacted a “feature” of macOS that most people don’t know about: OCSP (Online Certificate Status Protocol).

What happens behind the scenes

Jacopo Jannone has a good writeup of what went wrong from a technical perspective. When you open an application on your Mac, Apple sends some information about that app back to its own servers. The information sent is about the developer of the application, which Apple uses to make sure the developer’s account is still valid and hasn’t been revoked for some reason. If it is, Apple can block the app from opening, or at least warn you.

If Apple’s OCSP server had been completely down – not responding at all – this wouldn’t have been a problem. Their code is smart enough to just move on and open the app if you’re not online or can’t connect to the server. The issue appears to be that the server was taking too long to respond.

The dangers of Apple’s OCSP checks

Apple says OCSP checks are part of their security model, to make sure that an application isn’t malware that’s going to harm your computer. By sending information back to Apple about the maker of the program you’re opening, it’s telling Apple a bit about what you’re doing on your computer. If that developer has a lot of apps, then maybe it’s not a big deal: You could be opening one of Adobe’s dozens of programs like Illustrator, Photoshop, InDesign, etc. But if the developer has one or two apps, and they are specialty apps that aren’t widespread, this information can be used to track who’s using the app and when.

Unfortunately, the information Apple sends back to their servers isn’t encrypted – it’s in plain text, so anyone on the network can intercept and see information about the developer of the application you’re opening.

Apple responds

On Monday, Nov 16, Apple published an article clarifying all the ways it collects information about the apps you’re opening. At the end, they note a few changes:

These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.

In addition, over the the next year we will introduce several changes to our security checks:

* A new encrypted protocol for Developer ID certificate revocation checks
* Strong protections against server failure
* A new preference for users to opt out of these security protections

Apple: Safely open apps on your Mac

Not logging IP addresses is a good start, but until the encrypted protocol in the first bullet point is added, it only addresses half the issue. None of these requests, including IP addresses, need to be logged at all if the question is only whether an application should be trusted or not.

Stronger protections against server failure is just smart. Hopefully, in the future if this happens again, the system will realize after a second or two that it should give up trying to connect to the OCSP server and just open the app.

And finally, Apple will offer a preference to opt out of these invasive “security protections.”

It’s not your computer

You spent a lot of money on your Mac, but Apple doesn’t think it’s your computer. The idea that a server issue on Apple’s side can prevent you from using your device should be preposterous: You should be able to do what you want on your own device. The smart folks at Apple could find – and have – other ways to detect malware or other bad software without sending information about what apps you’re using back to the company. Even with Apple’s privacy-focused approach, the company continues to treat its customers as children who will should just accept protection from a benevolent overseer, with very little choice on getting out of that.

The anger against Thursday’s situation undoubtedly pushed Apple to write the article linked above and to start implementing those changes. Speaking out works, but we have a lot of work to do.