It's an invasive restriction, cynically designed, poorly engineered and improperly managed, that impairs your ability to function.. masquerading as security.
macOS is my favorite OS, but I don't need to use it. I was so psyched reading about the new Macbooks, and I've had to walk all that excitement back now. I cannot invest in a computer that locks me out of my job if a cable gets cut by a maintenance crew in Cupertino.
If you point the request at localhost, the problem resolves. This means that a cable getting cut in Cupertino won’t matter. It is a revocation protocol; it fails open.
The problem today is that not that the connection to the server failed, but that it succeeded very slowly. The result was an accidental denial of service on the client.
This particular issue is easy to work around for technical users; the _problem_ is the philosophy that made it possible.
This is the reason I can no longer use Apple computers - the continuous battle they are waging against the users freedom on all fronts - the anxiety of what they will do next to _my_ computer is too much.
I agree that it’s security theater and a suspect implementation, but I was playing a game of “let’s imagine why someone might do this...”—
I’m wondering, suppose it was designed this way because part of the goal is to prevent the spread of malware, the fastest means of which is an internet connected computer. In that event, the feature only intrudes when the computer, by virtue of it’s internet connection, is a member of the threat class.
Thank you. Phrased perfectly.
It's an invasive restriction, cynically designed, poorly engineered and improperly managed, that impairs your ability to function.. masquerading as security.
macOS is my favorite OS, but I don't need to use it. I was so psyched reading about the new Macbooks, and I've had to walk all that excitement back now. I cannot invest in a computer that locks me out of my job if a cable gets cut by a maintenance crew in Cupertino.
If you point the request at localhost, the problem resolves. This means that a cable getting cut in Cupertino won’t matter. It is a revocation protocol; it fails open.
The problem today is that not that the connection to the server failed, but that it succeeded very slowly. The result was an accidental denial of service on the client.
It is a bug, and an easily fixed one at that.
This particular issue is easy to work around for technical users; the _problem_ is the philosophy that made it possible.
This is the reason I can no longer use Apple computers - the continuous battle they are waging against the users freedom on all fronts - the anxiety of what they will do next to _my_ computer is too much.
10 replies →
I agree that it’s security theater and a suspect implementation, but I was playing a game of “let’s imagine why someone might do this...”—
I’m wondering, suppose it was designed this way because part of the goal is to prevent the spread of malware, the fastest means of which is an internet connected computer. In that event, the feature only intrudes when the computer, by virtue of it’s internet connection, is a member of the threat class.
So... plausible?
Plausible a la NSA, yeah?
I presume this setup wasn't public knowledge.
Apple built the computer; I exchanged money for the computer; now I own the computer.
Apple does not own the computer.
If Apple wants to own the computer, they can pay me instead.
2 replies →
Or defense in depth.
I hate it too, but 'theater' implies it isn't useful in any way.
And probably a ruse to amass application usage stats.
Mandatory OCSP is security theater? That’s a pretty bold claim.
Mandatory OCSP that fails open when you're offline is security theater.
OCSP fails open by definition because it is a revocation protocol. In the absence of revocation, a valid cert continues to be valid.
The problem here is simply that Apple did not build a short enough timeout into their client.
1 reply →