Pinboard (jm)
https://pinboard.in/u:jm/public/
recent bookmarks from jmCan’t open apps on macOS: an OCSP disaster waiting to happen | CryptoHack Blog2020-11-16T12:49:01+00:00
https://blog.cryptohack.org/macos-ocsp-disaster
jm
If Apple’s OCSP check was built to soft-fail [which is apparently the case], then why did apps hang when the OCSP Responder was down? Probably because this was actually a different failure case: the OCSP Responder was not completely down, it was performing badly. Due to the load added by millions of users worldwide upgrading to macOS “Big Sur”, Apple’s servers slowed to a crawl, and although they weren’t properly answering OCSP queries, they were working just enough that the soft-fail didn’t trigger.
IMO -- this is a big fail by Apple. Network callouts to perform OCSP checks on app startup are a critical case where a Hystrix-level infrastructure of timeouts and short-circuits were appropriate to fail safely in as many situations as possible.
The article goes on:
By adding several mundane failure modes to the verification process, OCSP spoils any cryptographic elegance the code signing and verifying process has. While OCSP is also widely used for TLS certificates on the internet, the large number of PKI certificate authorities and relaxed attitude of browsers means that failures are less catastrophic. Moreover, people are accustomed to seeing websites become unavailable from time to time, but they don’t expect the same from apps on their own devices. macOS users were alarmed at how their apps could become collateral damage for an infrastructure issue at Apple. Yet this was an inevitable outcome arising from the fact that certificate verification depends on external infrastructure, and no infrastructure is 100% reliable.
Scott Helme also has concerns about the power that Certificate Authorities gain when certification revocation actually works effectively. Even if you aren’t bothered about the potential for censorship, there will be occasional mistakes and these must be weighed against the security benefits. As one developer discovered when Apple mistakenly revoked his certificate, the risk of working within a locked down platform is that you may get locked out.
]]>apple ocsp fail fail-safe hystrix osx macoshttps://pinboard.in/https://pinboard.in/u:jm/b:27b5a7d8e83b/Not able to configure more than 3 PS Move controllers on a Macbook Pro Retina 13 inch, Early 2015 :: Sportsfriends General Discussions2019-12-05T11:37:53+00:00
https://steamcommunity.com/app/277850/discussions/0/154641879455478145/
jmjoust sportsfriends games bluetooth tips osx macoshttps://pinboard.in/https://pinboard.in/u:jm/b:01ace6a0e2e2/James Friend | PCE.js - Classic Mac OS in the Browser2014-01-22T23:34:48+00:00
http://jamesfriend.com.au/pce-js/
jmThis is a demo of PCE's classic Macintosh emulation, running System 7.0.1 with MacPaint, MacDraw, and Kid Pix. If you want to try out more apps and games see this demo.
Incredible. I remember using this version of MacPaint!
]]>javascript browser emulation mac macos macpaint macdraw claris kid-pix history desktop pcehttps://pinboard.in/https://pinboard.in/u:jm/b:76bf7eead4a1/