Comment by josephcsible

4 years ago

My understanding is that if you're offline, it skips this check and everything works fine. The reason this is a big deal is that the problem's on their end, so you're not offline, so it keeps trying and waiting instead of just letting you skip the check.

44 comments

josephcsible

berryg 4 years ago

I experienced this a couple of weeks ago. My wifi was up, but my internetprovider was down. My Macbook came to a halt. Nothing worked anymore. The whole machine was extremely slow. When the internetprovider came back up again, everything was fine again.

aunty_helen 4 years ago
Had the same thing earlier in the week as the isp was doing maintenance two nights in a row. 5+ seconds to start sublime and other really basic apps. Apple apps had no problem of course.
Remembering the notarization problems people were having months ago I did some tests and confirmed.
Now have little snitch installed again and my laptops going to be an Apple orphan. So I never noticed this problem today by virtue of it pissing me off 2 days before.
- hackerfromthefu 4 years ago
  
  Might as well get a chromebook then hahaha
kps 4 years ago
So you can't use a computer on an airgapped network? That seems counterproductive if the objective is security.
- floatingatoll 4 years ago
  
  If your computer is actually airgapped and has no networking interfaces configured, you won't have this issue.
  If your computer is able to resolve DNS for ocsp.apple.com but to connection-timeout all traffic, yes, you could possibly reproduce today's issue.
  
  3 replies →

8note 4 years ago

That still seems weird. Why does running unrecognized software become safe when you're off line?

type0 4 years ago
It's a security theater
- nmg 4 years ago
  
  Thank you. Phrased perfectly.
  It's an invasive restriction, cynically designed, poorly engineered and improperly managed, that impairs your ability to function.. masquerading as security.
  macOS is my favorite OS, but I don't need to use it. I was so psyched reading about the new Macbooks, and I've had to walk all that excitement back now. I cannot invest in a computer that locks me out of my job if a cable gets cut by a maintenance crew in Cupertino.
  
  17 replies →
- unethical_ban 4 years ago
  
  Or defense in depth.
  I hate it too, but 'theater' implies it isn't useful in any way.
- sildur 4 years ago
  
  And probably a ruse to amass application usage stats.
- johncolanduoni 4 years ago
  
  Mandatory OCSP is security theater? That’s a pretty bold claim.
  
  3 replies →
eternalban 4 years ago

Because it is not yet illegal to operate a computing machine that is not centrally monitored. New Normal, get used to it. Soon, this corner case will go away.
"Why were you offline when using your computer?"
sprt 4 years ago
Yes, can someone clarify this? What the hell is going on here?
- db48x 4 years ago
  
  It doesn't become safe when you're offline, it's just that you're no worse off than you were. OCSP is s a certificate revocation protocol. It's only used for disabling certificates which were issued in good faith but now need to be revoked. Suppose Apple signs application X, and the signature is good for a year. Six months later, Apple discovers that application X contains malware, so they revoke the certificate. However, your computer doesn't know about the revocation until it checks the OCSP server, which requires you to be online. If you're offline, it just skips the check; the certificate wasn't revoked yesterday, so it's probably fine today too. The bug is that if you're connected to a network but can't contact the OCSP server (either because the OCSP server is down, or because you're not connected to the internet) then OSX keeps trying to connect and becomes sluggish and/or unresponsive. This is how we know that it's a defect rather than a deliberate choice; if they had decided to make the OS non−functional unless connected to the internet they would have done a better job of it.
  It wouldn't surprise me if they one day wanted to require you to be online 100% of the time so that you can't skip the OCSP checks on applications, but I don't think that would go over very well. Apple wouldn't even be the first to produce applications that refuse to work if there's no internet connection. If you don't like the thought that they might one day spring this on you, I recommend investigating Linux.

Spivak 4 years ago

Unfortunately there’s not a way to differentiate “we’re online but Apple’s servers are having issues — probably fine” and “we’re online and something something is preventing us from talking to them — something nefarious might be happening.”

alistairSH 4 years ago
Local copy of whatever Apple is checking? Update that daily (on sign on or something). Not going to catch zero day type stuff, but better than making the laptop unusable.
- noobermin 4 years ago
  
  I'm going to make a bold claim but Linus made a claim to this effect. Security is important but it cannot be the only main priority when designing systems. Apple's mistake here is probably the main story but more generally this attitude (letting systems spectacularly fail for the sake of hypothetical security) is foolish and results in rather terrible bugs like this.
- Spivak 4 years ago
  
  I think the point is that that database is too large to store on a single machine which is why it has to be ad-hoc queried and cached. I mean it will have the signature of every program run on a Mac.
  
  1 reply →
- jagger27 4 years ago
  
  I don’t really want a giant hash table on my disk either.
  
  1 reply →