What harm will denying ocsp.apple.com do?

security code-signing

Solution 1:

The OCSP protocol is used to check whether or not a certificate has been revoked. In this context, it is used to give Apple the opportunity to revoke the “blessing” it has given to a specific piece of software. This could happen for example for example if Apple discovers that it contains malware, or when the software developer turns out to be a scammer, or similar situations.

Blocking OCSP does not interrupt normal certificate validation. Your Mac will still be able to tell whether or not the software has at some point received the “blessing” from Apple that makes it pass validation. If you have non-signed software or software signed by someone else than Apple, this will still be picked up by the system.

Disabling OCSP access only means that software that Apple once validated won’t be subject to checks in the future to see if Apple decided to revoke that validation.

Whether or not that is sustainable for a longer period of time depends on your own threat assessment. For ordinary users, I would recommend not blocking OCSP, as it serves as an extra layer of protection against malicious software.

Solution 2:

OCSP requests send a hash for every program you run, so that trustd can report the information (to a third-party CDN run by another company, Akamai). The purpose is to effectively verify whether the app that is launching is notarized or not by attempting to validate any Apple-related cryptographic certificates. With the release of macOS 11, we could no longer block certain Apple OS services with apps like Lulu and Little Snitch, as per the new restrictions to how third-party kernel extensions can function as well as to their scope of control. This feature was then removed with the release of macOS 11.2.

If you always know what you're installing and you trust the processes running on your Mac, there might not be an immediate consequence of blocking the OCSP requests. Since they require an internet connection, you could instead toggle your network connection to resolve any slow-downs the next time Apple's servers freeze up. If you want to block the OCSP requests, your solution should work (at least for that address). If you want to disable the service, you can try the following commands:

sudo defaults write /Library/Preferences/com.apple.security.revocation.plist OCSPStyle None
sudo defaults write com.apple.security.revocation.plist OCSPStyle None

I can't verify that it will make a difference, since Apple removed the conventional method to accomplish the equivalent in Keychain Access → Preferences years ago.

Related

Why didn't my Windows partition show up in the Startup Disk preference pane?
How can I unlock my screen when my input is in a different language?
My apps are using 3.7GB of storage on my iPad, how can I check which app is using what amount?
Is it possible to disable spellcheck for Coda but leave it enabled for other applications?
Is there a word to describe female between 'girl' and 'woman'?
"He rolled his toilet things into his housewife"
How to compare frequency of word use over time between British and American English?
Is "looking to" acceptable English in this use?
"Past due" or "passed due"
Why is "omnipotent" stressed iambically?
What is the meaning and usage of the word "beknownst"?
What's the connection between "Holy Grail" and "Killer Rabbit"? [closed]