"Entertainment services, namely, providing interactive multiplayer game services for games played over computer networks and global
communications networks; providing computer games and video games downloadable over computer global communications
networks; providing information on the video game and computer game industries via the Internet; and providing information on
computer games, video games, video game consoles and accessories therefor via the Internet"
That was before the WWDC 2019 announcement that all kexts are now deprecated and will be disabled soon. The Little Snitch team has been quiet about this.
Panic got some special exemptions to be in the Mac App Store previously, but they are not allowed to talk about it in detail. Perhaps LS is going a similar route and it will be revealed when Apple releases the next version of macOS.
As a registered developer, there's a clear path to reach out to Apple and make my case, but that doesn't guarantee I can use the MAS. A lot of devs don't see a need for it though, because the Mac userbase, in general, knows how to get apps on the www.
As long as I can distribute outside, I'm okay with it. But I, and even the biggest Apple fans in the press, have acknowledged the walls closing in.
That's about a different deprecation back in 2018(?). Note this bit:
>But what happens if Apple will not or cannot provide the required features? NKEs will be deprecated, but not Kernel Extensions in general. We can still implement a Kernel Extension to augment the functionality of the NE framework.
SRI doesn't really protect against man-in-the-middle. They protect against somebody having access to manipulate the data on the CDN or a malicious CDN.
If an attacker is in a position to be man-in-the-middle and can already get around HTTPS, they might as well compromise the page loading those resources.
If you serve your start page yourself, or via a different cdn - then Sri would protect against malicious code from other cdns such as pika.
If, say, you serve example.com from one source, and link js via pika.cdn - then if pika is compromised, your site would be too. If using sri, the example.com infrastructure would have to be subverted.
All things being equal, mitm ssl or subverting a well run cdn is hard - but if you double the number of cdns in play, you make compromise of one of them twice as likely/easy. With sri, you get to keep your single point of compromise - but can leverage the benefit of a besboke cdn for your js. If any.
Not sure if it can be considered a MITM attack, but without subresource integrity the developers have to blindly trust the Pika CDN to host the same script file on that URL.
SRI might be impossible to implement in this case, not only because of the Differential Serving feature but the fact, based on their examples, that developers should link to the major versions of projects, which would mean that the content under the URL will change.
This is where a reliable IPFS-like CDN would shine.
- Strip SSL by for instance blocking port 443 and hoping they fall back to HTTP.
- Get your own root certificate installed on the equipment of the user you are attacking. This is fairly common in corporate environments for instance.
- MD5 collision attacks (although almost every certificate would be SHA signed these days)
