Skip to main content
EFF TURNS 30 THIS YEAR! LEARN MORE ABOUT US, AND HOW YOU CAN HELP.
EFF TURNS 30 THIS YEAR!

Deeplinks Blog

Deeplinks Blog

the standard apple logo in silver, with a cartoonish green worm poking through it on each side

macOS 操作系統泄漏软件使用信息,苹果公司面临重要抉择

翻译:开放文化基金会 Open Culture Foundation上周,苹果公司 macOS 操作系統的用户注意到,当连上互联网要开启非苹果的应用程序时,会有长时间的延迟,甚至导致无法开启。会造成这样的状况,是因为 macOS 的安保服务试图连上苹果 OCSP(Online Certificate Status Protocol ; 在线证书状态协议) 的服务器时,因内部错误造成无法连接。在安全研究人员深入了解向 OCSP 送出的请求内容后,他们发现这些请求包含了一段散列值(hash),来自正在运作之应用程序的开发者证书,这个散列值是苹果公司用来做安全检查用的[1] 。开发者证书包含对应用程序(例如 Adob​​e 或 Tor)进行编码的个人,公司或组织描述,以至于哪些开发者制作的应用程序正在被开启使用,也同时泄露给苹果公司。 进一步来说,向 OCSP 送出的请求并不是加密的,这表示任何监听器也可能知道macOS 用户正在打开哪个应用程序以及何时打开[2],至于得以通过这种方式取得攻击能力的对象包括:任何上游服务器供应商、Akamai、托管苹果公司 OCSP 服务的ISP ; 而攻击者也可能是跟你使用同一互联网的黑客,这样说好了,例如你常去的那间咖啡厅,有攻击者跟你同时间连接到该咖啡厅 Wifi。如果想知道更多细节的说明,请看这篇文章。伴随这个隐私外泄事件而来的另一个考量是,我们无法从用戶空间应用程序(如LittleSnitch)检测或阻止此流量,就算关闭 macOS 上这个重要的安保服务会带来风险,我们也鼓励苹果公司允许拥有系统管理员(power users)权限的人,得以自行选择信任的应用程序来控制他们的网络流量从哪边寄出。苹果公司很快发布了一个新的加密版协议来确认开发者证书,在这个加密版中,他们将允许用戶自行选择是否退出安全检查,不过这些修正在明年某个时间才会真正推出。然而,开发一个新的协议并在软件内安装执行完毕并不是一夜之间可以完成的事,因此要求苹果公司马上做改变修正也是不公平。那为什么苹果公司不能简单的先将 OCSP 这个功能关掉呢?要回答这个问题,我们要先来探讨 OCSP 的开发者证书检查的实质作用是什么,它主要是要防止有害或恶意软件在 macOS 机器上运行,如果苹果侦测到有一位开发者夹带恶意软件(使用窃取来的签名金钥或恶意使用自身金钥),他们可以撤销那位开发者的证书,当 macOS 下次要开启这个应用程序时,苹果的 OCSP 服务器将会回覆该请求(透过...

Cindy Cohn at Web Summit Conference - Civil rights online

EFF's Cindy Cohn, will host a roundtable discussion that will look at "What are our rights online"? How can we protect them? This Roundtable will explore what we should know about how the web and society are structured, and about their impact on us.ParticipantsCindy Cohn Electronic Frontier FoundationNevelina Aleksandrova Ministry...

A voter seen through a veil of computer code

Elections Are Partisan Affairs. Election Security Isn't.

An Open Letter on Election SecurityVoting is the cornerstone of our democracy. And since computers are deeply involved in all segments of voting at this point, computer security is vital to the protection of this fundamental right. Everyone needs to be able to trust that the critical infrastructure systems we...

EFF Urges Universities to Commit to Transparency and Privacy Protections For COVID-19 Tracing Apps

San Francisco—The Electronic Frontier Foundation (EFF) called on universities that have launched or plan to launch COVID-19 tracking technologies—which sometimes collect sensitive data from users’ devices and lack adequate transparency or privacy protections—to make them entirely voluntary for students and disclose details about data collection practices.Monitoring public...

Moderate Globally, Impact Locally: The Global Impacts of Content Moderation

While there has been plenty of discussion around the impact of social media on American democracy, across much of the Global South its influence has been even greater. In many emerging democracies, access to traditional media is limited, and independent journalism is a relatively young phenomenon. These factors can often...

Pages

Back to top

JavaScript license information