Comment by outworlder
4 years ago
Why the heck do they have to reach to central servers?
Anti-virus software have been working with "definition files" ever since the dial up days. Check locally. Update when you can.
This is a completely brain dead implementation.
You could absolutely use a simple certificate revocation list instead of OCSP. I don't know how large that would be, though. It could run into problems if there was a heartbleed like issue that required revoking many certs.
All the extra connections are enough of an issue that there's OCSP stapling, where a web server attaches a copy of the OCSP check to the response.
Seems like it'd be possible to inject a file into Cool.app/Contents/ocsp.staple in a downloaded .dmg.
That could be considered valid for a few days so that, for the common case of "download app and try it out", there's no need to phone home.