Regarding the news yesterday that apps on macOS needs to phone home

[Ternary]

On Big Sur, adding ocsp.apple.com to my hosts file doesn't work for me.

I added this line to /etc/hosts:

127.0.0.1 ocsp.apple.com

And ocsp.apple.com still loads on web browsers. I tried restarting my Mac, which didn't fix anything, and I verified the hosts file works on other websites.

Can anyone verify if adding ocsp.apple.com to the hosts file works on Big Sur?

 

[SpiritSoul1008]

On Big Sur, adding ocsp.apple.com to my hosts file doesn't work for me.

I added this line to /etc/hosts:

127.0.0.1 ocsp.apple.com

And ocsp.apple.com still loads on web browsers. I tried restarting my Mac, which didn't fix anything, and I verified the hosts file works on other websites.

Can anyone verify if adding ocsp.apple.com to the hosts file works on Big Sur?

Works for me.

 

[jido]

Mmh, he says that the OCSP messages are not encrypted? Does he mean they are not sent using SSL?

Replying to myself – it is, indeed, not encrypted at all. No SSL or anything.

Why on Earth?

I am starting to succumb to the paranoia.

 

[Benz63amg]

I went ahead and added 0.0.0.0 ocsp.apple.com to my hosts file, this is absolutely no reason for apple to collect the info that it collects from this ocsp service. Gatekeeper is fully enabled and functioning as it should so blocking the ocsp has no effect on gatekeeper whatsoever and the Mac is fully protected from any potential malware.

 

[jennyp]

I went ahead and added 0.0.0.0 ocsp.apple.com to my hosts file, this is absolutely no reason for apple to collect the info that it collects from this ocsp service. Gatekeeper is fully enabled and functioning as it should so blocking the ocsp has no effect on gatekeeper whatsoever and the Mac is fully protected from any potential malware.

Having done that, what do you see when you type ocsp.apple.com into Safari's address bar and hit return?

 

[Benz63amg]

Having done that, what do you see when you type ocsp.apple.com into Safari's address bar and hit return?

This site can’t be reached​

ocsp.apple.com refused to connect.

ERR_CONNECTION_REFUSED

 

[minifridge1138]

Is anyone else still having this problem?

I’m running Mojave (last OS supported by my Mac) and applications hang at launch. It almost freezes my entire UI for many seconds.

Editing /etc/hosts to direct ocsp.apple.com to 127.0.0.1 instantly resolves my problem.

I thought Apple resolved this....

 

[jennyp]

This site can’t be reached​

ocsp.apple.com refused to connect.

ERR_CONNECTION_REFUSED

That's strange. I get a page saying "403 - Forbidden".

 

[blindpcguy]

Just tested on Big sur 11.0.1 Final build and the website does not load in safari. Definitely good to see a way around this mess

 

[Benz63amg]

That's strange. I get a page saying "403 - Forbidden".

That means that its not blocked on your end properly in the hosts file. you didnt do something right, it should give you the same message that i'm getting if you blocked it properly in the hosts file

 

[jennyp]

That means that its not blocked on your end properly in the hosts file. you didnt do something right, it should give you the same message that i'm getting if you blocked it properly in the hosts file

Can you recap what the proper way is to block in the hosts file?

When I try on Chrome it says "This site can’t be reached".

But I have other problems which may be relevant: my Safari cache folder at /Users/jenny/Library/Caches/com.apple.Safari remains permanently empty, even after visiting sites.

 

[GumaRodak]

There are only two types of users in the internet.
The ones which were hacked and the ones which don’t know they were hacked.

I just want to say, that there is no privacy if you are connected

 

[Ternary]

Can you recap what the proper way is to block in the hosts file?

When I try on Chrome it says "This site can’t be reached".

I have the same problem. After adding ocsp.apple.com to my hosts file, Chrome says "This site can't be reached" but Safari and Firefox still load the page with "403 - Forbidden".

I tried restarting my Mac and clearing the DNS cache with `sudo killall -HUP mDNSResponder` but nothing changes.

 

[jido]

What do you see for:

grep ocsp /etc/hosts

 

[jennyp]

What do you see for:

grep ocsp /etc/hosts

0.0.0.0 ocsp.apple.com

 

[Ternary]

I solved the problem with Safari/Firefox not blocking ocsp.apple.com!

You also need to add the following line to your hosts file:

::1 ocsp.apple.com

 

[jennyp]

I solved the problem with Safari/Firefox not blocking ocsp.apple.com!

You also need to add the following line to your hosts file:

::1 ocsp.apple.com

Hey Ternary that did it! Thanks! (Still don't know why my safari cache folder remains permanently empty though...)

 

[Benz63amg]

0.0.0.0 ocsp.apple.com

That’s the correct address to add in the hosts file, you’re supposed to add the address at the very last light below all existing text, you must have added it before the ::1 or something

 

[Benz63amg]

I solved the problem with Safari/Firefox not blocking ocsp.apple.com!

You also need to add the following line to your hosts file:

::1 ocsp.apple.com

Why did you add the ::1? That’s not how a domain is blocked in the hosts file

 

[jido]

Why did you add the ::1? That’s not how a domain is blocked in the hosts file

That is for IPv6, it's correct

 

[jennyp]

That is for IPv6, it's correct

Yes, I was trying to enter the IPv6 bit but I was putting

::1%lo0

- can't remember where I got that from, but Ternary's solution works.

 

[Benz63amg]

I solved the problem with Safari/Firefox not blocking ocsp.apple.com!

You also need to add the following line to your hosts file:

::1 ocsp.apple.com

So do you mean that instead of adding "0.0.0.0 ocsp.apple.com" to the last line of the hosts file i should add "0.0.0.0 ::1 ocsp.apple.com"? Can you please explain the reasoning behind this

I just went ahead and checked Safari as i was asked above (I wasn't home earlier so couldn't check Safar) and it indeed shows 403 - Forbidden instead of the "site can't be reached" that i see in Google Chrome(Which is good), What does this mean? is the ocsp.apple.com not properly blocked? How come entering ocsp.apple.com into google chrome returns one type of message and in Safari a different message? I'm on MacOS Catalina

 

[Benz63amg]

Works for me.

How can i verify that 0.0.0.0 ocsp.apple.com is indeed blocking this MacOS service on my Mac? When i go to ocsp.apple.com in google chrome it returns a message "site can't be reached" which I’m assuming is good as it means it blocked properly in the hosts file however when i check the same address in Safari it shows "403 - Forbidden", Does this mean that ocsp isn't properly blocked on my Mac?

 

[Ternary]

So do you mean that instead of adding "0.0.0.0 ocsp.apple.com" to the last line of the hosts file i should add "0.0.0.0 ::1 ocsp.apple.com"? Can you please explain the reasoning behind this

I just went ahead and checked Safari as i was asked above (I wasn't home earlier so couldn't check Safar) and it indeed shows 403 - Forbidden instead of the "site can't be reached" that i see in Google Chrome(Which is good), What does this mean? is the ocsp.apple.com not properly blocked? How come entering ocsp.apple.com into google chrome returns one type of message and in Safari a different message? I'm on MacOS Catalina

You add `::1 ocsp.apple.com` in addition to `0.0.0.0 ocsp.apple.com`, both on separate lines.

::1 is the ipv6 equivalent of 0.0.0.0. Safari tries to load the ipv6 version of ocsp.apple.com first, so without that extra line, Safari will load the page because it doesn't see that it's blocked.

 

[Benz63amg]

You add `::1 ocsp.apple.com` in addition to `0.0.0.0 ocsp.apple.com`, both on separate lines.

::1 is the ipv6 equivalent of 0.0.0.0. Safari tries to load the ipv6 version of ocsp.apple.com first, so without that extra line, Safari will load the page because it doesn't see that it's blocked.

I see, If i don't add "::1 ocsp.apple.com" and just keep "0.0.0.0 ocsp.apple.com" in the hosts file, Does that mean that MacOS is still using this background service that we are trying to block or is it only something that's displayed in Safari and is not important?