Google delivers the certificate [1] to me, for *.google.com,
*.youtube.com and other major services.
However, the OCSP service [2] does not work for me. I verified this from
multiple locations, machines, OSes and versions of Firefox. Furthermore,
I used SSL Labs [3] and the status on crt.sh [1] to verify. AFAIK other
browsers don't support hard fail for OCSP at all. However curl does:

$ curl --version
curl 7.57.0 (x86_64-pc-linux-gnu) libcurl/7.57.0 OpenSSL/1.1.0g
zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) libssh2/1.8.0
Release-Date: 2017-11-29
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s
rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
$ curl --cert-status https://www.google.com
curl: (91) No OCSP response received

I monitor this issue for some hours, but it's quite surprising that
Google has not yet fixed it. The OCSP service is not listed on their app
status board [4] and I failed to find any way to contact Google directly
about this issue. The Google PKI does not fit in any contact form I
found and the category "other" is always referring to some FAQs or similar.
It's also a single point of failure since all Google services are signed
by the Google PKI, which (if you are strict) cannot be fully trusted
without a valid OCSP response...

Can somebody confirm this issue? You can easily flip the
"security.OCSP.require" pref to true in about:config (Firefox) to check
or using curl.
Is there a known contact to report it (or is someone with a Google hat
reading this anyway)?
Is there any plan if a CA fails for whatever reason and cannot be
contacted anymore, because all their services are signed by themselves?
In the case of Google they are also preloaded and pinned in all (modern)
browsers, so it's very hard to bypass (for good reasons) if they would
have a serious issue in the PKI.

[1] https://crt.sh/?id=299058714&opt=ocsp
[2] http://clients1.google.com/ocsp
[4] https://www.google.com/appsstatus

Attachment: signature.asc
Description: OpenPGP digital signature

dev-security-policy mailing list

Reply via email to