Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

One of the hallmarks of Apple news and commentary is how whenever Apple merely announces it will do something, Apple is treated like it already did it, while exactly matching its own promises.

The current headline* hints Apple has already made changes, while the article only says Apple 'plans' on making changes over the next year. Any other company would have been torn to shreds on HN if it kept sending cleartext logs and merely 'planned' to sometime patch this out.

The plan is odd too - why does Apple need 'a new encrypted protocol for Developer ID certificate revocation checks' when existing encryption protocols can do this?

* "Apple Addresses Privacy Concerns Surrounding App Authentication in macOS"



OCSP is not ‘an Apple protocol’. They didn’t design it and it is typically used without encryption.

Look at the certificates on sites you use, like this one. The OCSP server is http://ocsp.digicert.com . Http, so no encryption.


I'm referring to this line from the article:

"a new encrypted protocol for Developer ID certificate revocation checks"

Not the current Apple implementation.


Fair, but my opinion is that OCSP became 'an Apple protocol' the moment that Apple implemented it on the device that they sold to me.


That’s a weird perspective. Is HTTPS an Oracle protocol because Oracle Linux includes curl?


You're telling me that you don't hold a developer responsible for the way he implements things, if he isn't the originator of the implementation?


Of course, but in that case it’s more appropriate to talk about “Apple’s implementation of the standard OCSP protocol” rather than ”Apple’s protocol”.


I don't agree, and moreover I note that this is a purely semantic point that you are making.

Apple is a major hardware manufacturer and software developer, and it seems totally appropriate to suggest that Apple is responsible for how it chooses to implement certain features. Saying "well, we just took it off the shelf" may work for a small-potatoes business, but not the largest public company in the world.

Additionally, it's like the Nuremberg Defense of software.

Any protocol (or tool in general) is appropriate for certain situations, and inappropriate (in this case, vulnerable) in other ones. You shouldn't suggest that others must bend over backwards semantically to try to pass the buck away from Apple, because Apple is responsible for using the protocol. Saying "Apple's protocol" indicates that Apple made the conscious choice to use that protocol, and that Apple has ownership of the consequences of using that protocol.


I think that is an confusing interpretation, fwiw.


> The current headline* hints Apple has already made changes,

I didn't read the headline that way at all, because the word "addresses" doesn't mean what you are suggesting it means.


According to my dictionary, "addresses" means:

> think about and begin to deal with (an issue or problem)

It doesn't imply that the solution has been fully implemented.


It implies Apple has 'begun to deal' with the issue when the only thing we may have is a plan to do this sometimes in the near future.

[EDIT: every definition of 'address' I've found suggests it's a synonym for 'deal with' not 'begin to deal with']


> every definition of 'address' I've found suggests it's a synonym for 'deal with' not 'begin to deal with']

And "deal with" does not mean "fix" -- the word "addresses" makes perfect sense for this headline.


> To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks

Seems like they have begun to deal with it.

[EDIT: Perhaps it's because my definition came from Apple's dictionary app /s]


If you read the original thread, nobody complained Apple got his/her IP. Apple already has that IP from a thousand other vectors. The real issues (cleartext, being able to build a profile using Application data, etc.) aren't yet dealt with at all.


> One of the hallmarks of Apple news and commentary is how whenever Apple merely announces it will do something, Apple is treated like it already did it, while exactly matching its own promises.

And yet, this thread and every other Apple thread is full of comments like yours assuming negative intent. Check out other comments in this thread, you'll see comments asserting that of COURSE this feature is for harvesting or that Apple doesn't want you to own your devices any more. You comment is another critique based entirely on what they might do: that are not going to do what they promised.


The point is the headline implies something more expansive than the article's content; and if some other company would promise to fix sending private data in cleartext sometimes later in the next year, HN would have a fit.


Others have pointed out that you are misunderstanding what the word "addresses" means. If they had announced that "tough shit, we ain't changing it" that would still be addressing the issue. Addressing does not mean "fixed" or "resolved".


I am not saying it isn’t true what you are saying, but do you have links to the companies that were collectively ‘torn to shreds’ over similar issues?

I have seen this argument a few times now without any references.

Were, for instance, Microsoft or Amazon torn to shreds over similar claims?


Think MS telemetry which AFAIK is encrypted and less invasive than the current Apple solution.


This type of PR changes after Tim Cook took over. I think the change of PR personnel and direction were to blame.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: