Comment by alwillis

4 years ago

All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.

Apple gave a detailed explanation. It was a server misconfiguration combined with a CDN issue which caused the OCSP certificate check to stop working, which caused Apple's system for ensuring certificates haven't been revoked to stop working:

    “We have never combined data from these checks
    with information about Apple users or their
    devices. We do not use data from these checks
    to learn what individual users are launching
    or running on their devices,” clarified the
    company.

    “Notarization checks if the app contains known
    malware using an encrypted connection that is
    resilient to server failures,” says Apple,
    further emphasizing, “These security checks
    have never included the user’s Apple ID or the
    identity of their device. To further protect
    privacy, we have stopped logging IP addresses
    associated with Developer ID certificate checks,
    and we will ensure that any collected IP addresses
    are removed from logs,” details Apple.

https://news.ycombinator.com/item?id=25108108