bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

From: Tim Ruehsen
Subject: Re: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling
Date: Thu, 20 Aug 2015 10:33:41 +0200
User-agent: KMail/4.14.2 (Linux/4.1.0-1-amd64; KDE/4.14.2; x86_64; ; ) 
On Wednesday 19 August 2015 18:19:16 Petr Pisar wrote:
> On Wed, Aug 19, 2015 at 03:37:06PM +0000, Tim Ruehsen wrote:
> > Regarding MITM and other attacks... did you notice that OCSP responder
> > URLs
> > are HTTP (plain text) will all the insecurity ? I never saw a HTTPS URL,
> > did you ?

> 
> There is no need for HTTPS. The OCSP response is signed by the CA's OCSP
> responder. So the problem of OCSP response integrity reduces to verifying
> the OCSP response signature. Of course to verify the signature, one needs
> to verify OCSP responder's certificate. But this is the same story as with
> CRLs.

A signature makes it possible to verify the delivered content (answer from 
OCSP responder here), and - as you say - is as trustworthy as the CA certs you 
have.
But there also is a privacy concern involved when using plain text 
communication. The OCSP request data holds unique parts of the server 
certificate(s). Anyone (between me and the OCSP responder) can see and assign 
my IP with the domain (or at least with the server IP) that I want to access. 
OCSP stapling is a big win here, but is potential useless if the server has a 
cert chain. That's why I want to see OCSP multi-stapling in the near future 
(RFC6961 TLS Multiple Certificate Status Request Extension). That's also a big 
HTTPS connect speedup. AFAIK, there is no TLS library currently supporting it.

Tim

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to
[Prev in Thread] Current Thread [Next in Thread]