Control: tags -1 wontfix On mar, mag 05, 2015 at 01:23:46 +0200, Vincent Lefevre wrote: > On 2015-05-04 19:57:25 +0200, Alessandro Ghedini wrote: > > On lun, mag 04, 2015 at 12:28:02 +0200, Vincent Lefevre wrote: > > > OK, if I understand, it just supports OCSP stapling, not plain OCSP. > > > So, why not using plain OCSP if no OCSP stapling information is > > > received? > > > > Plain OCSP has several problems > > This is FUD. The possible problems are very minor compared to other > problems, in particular compared to the potential security probems. > > > (increased latency, > > Only for the first request to the server. So, in average, I doubt that > this is noticeable. Adverts and images on web sites are much worse.
You seem to keep confusing libcurl for a web browser. It's not (unless you decide for whatever reason to build one yourself on top of it). "Adverts and images on web sites" are of no concern to curl developers (not to mention that adverts would probably require their own additional OCSP requests...). > > privacy concerns, > > Well, at worse, the OCSP responder just gets the domain and the IP of > the user, right? At worse, major certificate authorities get The IP address of every user connecting to most websites using TLS. > There are similar privacy concerns with the DNS, and even worse with the ISP > (which can get much more information on the user). And? Just because there are other ways to fuck you over it doesn't mean it's ok to add yet another one. Not to mention that it's much easier for, say, law enforcement, to randomly fish for "criminals" by requesting information from a few big <put nationality here> CAs, then do the same for every website and ISP. > And with Google and Facebook too. How does this have anything to do with OCSP? > > and general unreliability) > > Very rare. I've been using security.OCSP.require = true with Firefox > for one year now So? No one is going to make a decision based on what you, a single user out of a few million ones, do. Anyway, you forgot the part where the OCSP server is not responding because someone is intercepting and blocking your OCSP requests. Or actively DDoSing the OCSP server. > > so there's little chance it will be implemented, let alone enabled > > by default. > > If curl were built against GnuTLS, it would have it automatically > (like lynx and wget). curl *is* built againt GnuTLS as of a couple of days ago, and no, this didn't magically add support for OCSP as you seem to think. GnuTLS (like most other TLS libraries) supports creating OCSP requests, but you also need to send them (e.g. ocsptool in gnutls-bin implements its own HTTP client) and then verify that the response is valid. None of this is automatic. Also, how exactly do wget and lynx support OCSP? Because AFAICT they don't (they don't even support OCSP stapling). Cheers
signature.asc
Description: Digital signature
