Mac Geekery

Tim Gaden over at Hawk Wings posted today about Mail.app phoning home in yet another misunderstanding about what “phoning home” means.

Before we begin, let’s talk a bit about phoning home, because there’s a bit of confusion about what phoning home means, and when we should care about phoning home, and when we shouldn’t. Check out the Wikipedia entry if you have any doubts.

Phoning home is usually surreptitious communication between applications or hardware installed at end-user sites and their manufacturers or developers. This could be for purposes of access control, such as transmitting an authorisation key. It could also be for marketing purposes, such as the “Sony Rootkit”, which transmits a hash of the currently playing CD back to Sony, or a digital video recorder (DVR) reporting on viewing habits.
“Wikipedia: Phoning home”:http://en.wikipedia.org/wiki/Phone_Home

Point is, we get hot and bothered about phoning home when it is part of some draconian authorization scheme or collection of marketing data. Mail.app’s behavior is none of this and a quick look through features of OS X and its stock apps would have found the answer.

It’s Not Always Happening

First off, I gave this a shot myself. I ran tcpdump for several hours but did not see a single connection back to any Apple.com or Mac.com servers. From a security context, if Apple were doing anything nefarious, they would probably always do it, whereas this would seem to be some ‘feature’ of .Mac (given the hostname). So, if it’s not happening on my machine here, nor on any of the others that I’ve tested in the office, what is it?

When It Is Happening?

When you make a new message in Mail.app, it searches .Mac for email certificates to validate, sign, and encrypt your emails. I babysat the tcpdump session while doing routine Mail.app chores, and found it only posts these queries when you create a new message, immediately after hitting “Compose” and before you have a chance to do much of anything else.

Let’s look back at the rollout of Tiger and .Mac 3.0. Apple unveiled (with little fanfare, actually) their own public certificate server and built in to Tiger the ability for applications of all types to query the server.¹

Put simply, Mail.app isn’t the culprit, and the culprit isn’t anything nefarious at all. Mail.app is using the .Mac SDK to query for public keys and you can disable this behavior in the application responsible for managing your certificates: Keychain Access.

In Keychain Access, go to preferences and disable “Search .Mac for Certificates.”

¹ Poke around in the .Mac SDK if you’d like to leverage this in your own applications.