Historically speaking, OCSP was invented in a world where almost all DNS requests were also in cleartext. So if an attacker can observe DNS requests, then it's already "game over", and the cleartext of the OCSP request is almost redundant at that point.

It's worth noting a couple differences between HTTPS OCSP and Developer ID OCSP. First, with Developer ID, the only DNS request is for ocsp.apple.com, so the DNS request by itself doesn't expose any information about the Mac app being launched, unlike with HTTPS.

Second, the caching of Developer ID OCSP responses tends to be much much shorter than for HTTPS. Prior to Thursday's outage, the standard cache length for Developer ID OCSP responses seemed to be 5 minutes. (Apple seems to have raised it to 12 hours now.) In contrast, I just checked the latest response in my OCSP cache, which was for http://ocsp.digicert.com, and its validity is 7 days. So the rate at which Developer ID OCSP requests are made seems to be much higher than for HTTPS, and thus there's greater chance of exposure.

Most of the people affected by the issue have no idea what OCSP is.

Chrome uses its own CRL, which pulls from OCSP

https://medium.com/@alexeysamoshkin/how-ssl-certificate-revo...

Although OCSP stapling is used more now IIRC.

Chrome uses CRLset, which generates a cut down CRL when the browser is updated, I don’t see any interaction with OCSP

HN doesn’t set OCSP must staple so we’re still a while away from being able to trust it.