Comment by _qulr

4 years ago

OCSP is Online Certificate Status Protocol. The connection to ocsp.apple.com is checking the status of the certificate used to code sign the launching app.

I wrote an article about this a couple weeks ago because of the temporary revocation of HP's signing cert for printer drivers on the Mac:

https://lapcatsoftware.com/articles/revocation.html

I'm sorry if this was answered elsewhere, but can someone explain me how this works when you don't have internet connection? I assume you can still launch apps without internet connection. So then, what stops bad actors to just either block connection to ocsp or straight up turn off your connection entirely when running malware?

  • Through the very mechanism people are complaining about today.

    If your machine is offline then it switches to a fail-open system and uses its cache to verify the binary and if it's not in the cache then it skips the check and allows it.

    If your machine is online then it switches to a fail-closed system so that if you can't reach the servers because of something malicious then it blocks.

So is checking for security certificates good or bad, now?

  • If you've suffered inconvenience from having checks but not suffered inconvenience from no checks, then it's bad.

    If you've suffered inconvenience from no checks but not suffered inconvenience from having checks, then it's good.

  • Since this check is currently done _unencrypted_ (as lapcatsoftware said in his post), I'd say it's objectively bad.