If BigSur is slowing down your mac
Denying OCSP connection could mitigate the issue
Disclaimer
The information below is not a silver bullet to every performance issues cause by BigSur. Use it at your own risk!
The Intention
To prevent trustd from checking the validity of a digital certificate of an application via a request to the Online Certificate Status Protocol (OSCP).
What is OSCP?
The OCSP responder is responsible to provide real-time verification of the status of an X.509 certificate. There are three types of responses from the OCSP request: “good”, “revoked” or “unknown”.
A digital certification can be marked as invalid for several reasons. Take “revoked” for example, a website is secured with TLS/HTTPS and using SSL certificates to authenticate on the backend and establish trust with the domain. A certificate is signed by the certificate authority (CA) and the certificate will remain valid for a period of time until they are about to expire. Generally, the website should renew the certificate when it is about to expire. However, one might be forced to revoke a signed certificate prior to its expiration due to security issue such as private key compromised.
What OCSP has to do with the sluggish performance of my mac?
Since the BigSur system update, my MacBook would freeze itself for a noticeable period (feel like they were more than 100 milliseconds) and resume itself to normal. In addition, it doesn’t matter if the application is VSCode, TextEdit or even the Stickies, there are these noticeable lag when I am typing. However, the lag dissipates when I am not connected to the Internet. For the record, I have been experimenting with the behaviours and try to reproduce the lag in different scenarios such as open only the text editor to make sure my system is not running a bunch of heavy application that could potentially slow down the system.
I have been using a mac application called LittleSnitch, it is a firewall application used to monitor application and offer the user the capability to allow or disallow a certain network connection to go through. I reckoned there was this little process which had been running and failing silently soon after I got my MacBook updated to BigSur.
I immediately configured LittleSnitch to deny any outgoing network calls by trustd. I have been running my computer with that process being denied; interestingly, there have not been any sluggish performance issues encountered since. It seems to me that this process might not be failing gracefully, those errors or timeouts seemed not handled properly, which could be the culprit in this case.
Alternative to LittleSnitch
- Open Terminal
- Open your hosts file from the terminal as a superuser:
$ sudo vi /etc/hosts- Edit your host file to add this line:
0.0.0.0 ocsp.apple.com- Press
shiftand;. Typewq!then enter to save and exit from the editor if you have something like this:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
0.0.0.0 ocsp.apple.com
127.0.0.1 localhost- Clear your DNS cache by running this from the terminal as a superuser:
sudo dscacheutil -flushcacheConclusion
These are not proper solutions because your system will not check for any certificate as mentioned prior, thus making your system vulnerable to malicious attacks.
If you are going with the alternative solution mentioned above, please do not forget to remove 0.0.0.0 ocsp.apple.com from the hosts file if Apple patched this problem in the future.
If you are not sure about it, perhaps it is best to wait for the official software update from Apple.
