← Back to context

Comment by 8note

4 years ago

That still seems weird. Why does running unrecognized software become safe when you're off line?

It's a security theater

  • Thank you. Phrased perfectly.

    It's an invasive restriction, cynically designed, poorly engineered and improperly managed, that impairs your ability to function.. masquerading as security.

    macOS is my favorite OS, but I don't need to use it. I was so psyched reading about the new Macbooks, and I've had to walk all that excitement back now. I cannot invest in a computer that locks me out of my job if a cable gets cut by a maintenance crew in Cupertino.

    • If you point the request at localhost, the problem resolves. This means that a cable getting cut in Cupertino won’t matter. It is a revocation protocol; it fails open.

      The problem today is that not that the connection to the server failed, but that it succeeded very slowly. The result was an accidental denial of service on the client.

      It is a bug, and an easily fixed one at that.

      11 replies →

    • I agree that it’s security theater and a suspect implementation, but I was playing a game of “let’s imagine why someone might do this...”—

      I’m wondering, suppose it was designed this way because part of the goal is to prevent the spread of malware, the fastest means of which is an internet connected computer. In that event, the feature only intrudes when the computer, by virtue of it’s internet connection, is a member of the threat class.

      So... plausible?

      4 replies →

Because it is not yet illegal to operate a computing machine that is not centrally monitored. New Normal, get used to it. Soon, this corner case will go away.

"Why were you offline when using your computer?"

Yes, can someone clarify this? What the hell is going on here?

  • It doesn't become safe when you're offline, it's just that you're no worse off than you were. OCSP is s a certificate revocation protocol. It's only used for disabling certificates which were issued in good faith but now need to be revoked. Suppose Apple signs application X, and the signature is good for a year. Six months later, Apple discovers that application X contains malware, so they revoke the certificate. However, your computer doesn't know about the revocation until it checks the OCSP server, which requires you to be online. If you're offline, it just skips the check; the certificate wasn't revoked yesterday, so it's probably fine today too. The bug is that if you're connected to a network but can't contact the OCSP server (either because the OCSP server is down, or because you're not connected to the internet) then OSX keeps trying to connect and becomes sluggish and/or unresponsive. This is how we know that it's a defect rather than a deliberate choice; if they had decided to make the OS non−functional unless connected to the internet they would have done a better job of it.

    It wouldn't surprise me if they one day wanted to require you to be online 100% of the time so that you can't skip the OCSP checks on applications, but I don't think that would go over very well. Apple wouldn't even be the first to produce applications that refuse to work if there's no internet connection. If you don't like the thought that they might one day spring this on you, I recommend investigating Linux.