Comment by vsskanth

4 years ago

Can apple not use security certificates to verify publishers ? why does it need to go to their servers ?

The URL mentioned in sibling comments suggests this has to do with certificate revocation (OCSP): https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...

I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.

  • > I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.

    Based on the OP tweet... depending on the way it is unavailable, the failure is indeed ignored in some cases. "Denying that connection fixes it, because OCSP is a soft failure (Disconnect internet also fixes.)"

    So it may be an actual unintended bug that a particular failure path results in a DoS instead?

  • Normally if there's no internet Gatekeeper instead checks the "stapled" notarization ticket from the notarization process. But since there is internet, and the ocsp server is technically "up" gatekeeper isn't checking the tickets.

  • actually I think the problem is not that it is not available, heck /etc/hosts fixes wouldn't work than. it's that it is unresponsive as hell, and they have no system wide circuit breaker, if it is slow.

    • If it were unreachable then the daemon would fail fast. A slowdown on the other hand just makes requests to the daemon queue up.

    • I am calling an unresponsive service unavailable. I think we agree about everything else.

  • What’s the alternative tho?

    • A limited change would be to fail-open more of the time, e.g., if the OCSP server does not respond within a few milliseconds. (MacOS already fails-open in some internet scenarios.)

      A better option is to asynchronously update a Certificate Revocation List ("CRL") and perform any check local to the machine. This avoids disclosing to Apple every single time you run a program, which program it is, and what network you're on. It could also emergency-revoke certificates just as quickly as the OCSP design by polling at the same frequency (every app startup).

      1 reply →

  • The alternative is OCSP being allowed if internet isn't available, which is a security risk for reasonable defense-in-depth strategies.

    • Most OSCP implementations fail-open, not fail-closed. I get the benefits of having it fail-closed, but it should be opt in, because having an always-online requirement for using a mac is ridiculous.

      4 replies →

    • MacOS already fails-open if the OCSP server resolves to the local host (see: every suggestion to edit /etc/hosts in this discussion).

It does go locally if you are not on wifi. I thought the issue was my slow internet so I turned off wifi and suddenly everything launched just fine.