(twitter.com)

2603 points mattsolle | 2 comments | 12 Nov 20 21:00 UTC | HN request time: 0s | source

Show context

_qulr ◴[12 Nov 20 21:47 UTC] No.25075533[source]▶

OCSP is Online Certificate Status Protocol. The connection to ocsp.apple.com is checking the status of the certificate used to code sign the launching app.

I wrote an article about this a couple weeks ago because of the temporary revocation of HP's signing cert for printer drivers on the Mac:

https://lapcatsoftware.com/articles/revocation.html

replies(2): >>25076660 #>>25078432 #

ehsankia ◴[13 Nov 20 03:18 UTC] No.25078432[source]▶

>>25075533 #

I'm sorry if this was answered elsewhere, but can someone explain me how this works when you don't have internet connection? I assume you can still launch apps without internet connection. So then, what stops bad actors to just either block connection to ocsp or straight up turn off your connection entirely when running malware?

replies(1): >>25082884 #

Spivak ◴[13 Nov 20 14:59 UTC] No.25082884[source]▶

>>25078432 #

Through the very mechanism people are complaining about today.

If your machine is offline then it switches to a fail-open system and uses its cache to verify the binary and if it's not in the cache then it skips the check and allows it.

If your machine is online then it switches to a fail-closed system so that if you can't reach the servers because of something malicious then it blocks.

replies(1): >>25085288 #

1. ehsankia ◴[13 Nov 20 18:00 UTC] No.25085288[source]▶

>>25082884 #

So that seems like more of an analytics system to me than a protection system, if it can be circumvented so easily.

replies(1): >>25087867 #

2. Spivak ◴[13 Nov 20 21:44 UTC] No.25087867[source]▶

>>25085288 (TP) #

I think the philosophy is that you're not too often acquiring new software while offline so the usability trade-off isn't as bad as it seems.

↑

macOS unable to open any non-Apple application