The protocol in use is OCSP. The OCSP endpoint is part of the certificate. If I had to guess, I would say that they just relied on certificate validation features of the library they are using, not necessarily aware of all of the consequences.
Checking OCSP is a standard feature of many SSL libraries.
Doing what you suggest is an implementation outside of what standard libraries would provide and was probably completely out of scope until now when stuff started burning.
Don't call relying on standard features of an underlying library "batshit implementation". For the vast majority of cases going with what's already there is the way better solution than NIHing your custom thing
To be fair, they fully control the library they’re using, as they have their own x509 library and API in Core Foundation. But it also supports CRLs so I’m somewhat circumspect this is the reason.
More likely it’s the server side: CRLs have fallen out of popularity because they don’t work well for the scope of most CAs. On the web OCSP doesn’t have the drawbacks it does in this situation because servers themselves can staple OCSP responses instead of forcing the client to fetch them itself. Obviously the same doesn’t quite work for binaries sitting on a user’s disk.
> To be fair, they fully control the library they’re using, as they have their own x509 library and API in Core Foundation. But it also supports CRLs so I’m somewhat circumspect this is the reason.
yes. if of course it's their library. But I assume the caller was just calling some (imaginary) function like
validate_cert(cert, ENABLE_ALL_CHECKS);
and that was it.
That ENABLE_ALL_CHECKS would then go out to check the OCSP server was probably not immediately known or was just seen as something that's part of, well, enabling all checks without much additional thought.
Whether the certificate also lists a CRL endpoint and whether that imaginary ENABLE_ALL_CHECKS also checks that I don't know, but possibly neither did the person who called that (imaginary) function.
Heck, the function might even default to ENABLE_ALL_CHECKS internally at which point the author of this code in question might not even have been aware of the network calls.
Checking OCSP is a standard feature of many SSL libraries.
Doing what you suggest is an implementation outside of what standard libraries would provide and was probably completely out of scope until now when stuff started burning.
Don't call relying on standard features of an underlying library "batshit implementation". For the vast majority of cases going with what's already there is the way better solution than NIHing your custom thing