Comment by ehsankia

4 years ago

I'm sorry if this was answered elsewhere, but can someone explain me how this works when you don't have internet connection? I assume you can still launch apps without internet connection. So then, what stops bad actors to just either block connection to ocsp or straight up turn off your connection entirely when running malware?

Through the very mechanism people are complaining about today.

If your machine is offline then it switches to a fail-open system and uses its cache to verify the binary and if it's not in the cache then it skips the check and allows it.

If your machine is online then it switches to a fail-closed system so that if you can't reach the servers because of something malicious then it blocks.

  • So that seems like more of an analytics system to me than a protection system, if it can be circumvented so easily.

    • I think the philosophy is that you're not too often acquiring new software while offline so the usability trade-off isn't as bad as it seems.