Hacker News new | past | comments | ask | show | jobs | submit login

It's slightly more nuanced than that - you can of course just block it from doing so, and there's certainly an argument for it being updated to not need a network call each time, but phrasing it like this makes it sound worse than it actually is.

I'll just quote Jeff Johnson, who's looked into this and written about it - his comment[1] on this is post is quite useful:

https://eclecticlight.co/2020/11/25/macos-has-checked-app-si...

>The request to http://crl.apple.com/root.crl is simply checking the revocation status of Apple’s own Developer ID Certification Authority intermediate signing certificate. If you examine the cert in the System Roots keychain, you can see that URL under CRL Distribution Points. This request contains no information specific to third-party developers or apps. In contrast, there’s no CRL for third-party Developer ID leaf certs signed by Apple’s intermediate cert. Their status is only available via OCSP.

Notably, this:

>This request contains no information specific to third-party developers or apps.

https://eclecticlight.co/2020/11/25/macos-has-checked-app-si...




You added detail, yet didn't refute the statement. That it isn't easy to simply and specifically turn off is not acceptable.


No, I'm fairly certain I refuted it.

The parent comment is incorrectly stating that each request to Apple is checking a binary, and it's not. This has been well documented both here on HN and across the web.


That's not the definition of refute. The distinction between a lazy-implied always and merely often is pedantic. The point is that it happens enough to reduce performance, while doing something no end-user asked for and is difficult, if not impossible to disable without reducing other security protections.


There is no measurable performance loss from that one time check - it's not something happening constantly.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: