On Wed, 9 Apr 2014, Kurt Roeckx wrote:
However, iceweasel/firefox by default is happy to ignore a OCSP timeout. You need to turn it on that it doesn't allow a timeout. I have no idea why they use that as default.
Because it's an easy DoS if an attacker is in a position to MITM the connection between you and the OCSP service (or CRL file), no? And if the attacker can MITM the connection between you and the SSL service you're trying to talk to, they can probably also MITM the OCSP or CRL server.
Also (as Adam Langley points out in the stuff I linked to earlier in this bug report) the OCSP servers risk becoming a single point of failure if you do that. If a CA's OCSP server is down, everything they sign becomes inaccessible. That would be a bad default, and probably not something you want to turn on for yourself either.
Also also, http://www.thoughtcrime.org/papers/ocsp-attack.pdf which appears to be still valid with Firefox at least: https://bugzilla.mozilla.org/505812 So there's really no value at all in using OCSP, it seems. -- Geoffrey Thomas https://ldpreload.com geo...@ldpreload.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
