I can confirm that the endpoint embedded in the certificate ( http://clients1.google.com/ocsp) is giving a 404 to OCSP requests at this time. crt.sh's OCSP monitoring page also shows this.
-Paul On January 21, 2018 at 9:07:48 AM, sjw--- via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote: Hi Google delivers the certificate [1] to me, for *.google.com, *.youtube.com and other major services. However, the OCSP service [2] does not work for me. I verified this from multiple locations, machines, OSes and versions of Firefox. Furthermore, I used SSL Labs [3] and the status on crt.sh [1] to verify. AFAIK other browsers don't support hard fail for OCSP at all. However curl does: $ curl --version curl 7.57.0 (x86_64-pc-linux-gnu) libcurl/7.57.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) libssh2/1.8.0 nghttp2/1.29.0 Release-Date: 2017-11-29 Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL $ curl --cert-status https://www.google.com curl: (91) No OCSP response received I monitor this issue for some hours, but it's quite surprising that Google has not yet fixed it. The OCSP service is not listed on their app status board [4] and I failed to find any way to contact Google directly about this issue. The Google PKI does not fit in any contact form I found and the category "other" is always referring to some FAQs or similar. It's also a single point of failure since all Google services are signed by the Google PKI, which (if you are strict) cannot be fully trusted without a valid OCSP response... Can somebody confirm this issue? You can easily flip the "security.OCSP.require" pref to true in about:config (Firefox) to check or using curl. Is there a known contact to report it (or is someone with a Google hat reading this anyway)? Is there any plan if a CA fails for whatever reason and cannot be contacted anymore, because all their services are signed by themselves? In the case of Google they are also preloaded and pinned in all (modern) browsers, so it's very hard to bypass (for good reasons) if they would have a serious issue in the PKI. [1] https://crt.sh/?id=299058714&opt=ocsp [2] http://clients1.google.com/ocsp [3] https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=2607%3af8b0%3a4005%3a80a%3a0%3a0%3a0%3a200e [4] https://www.google.com/appsstatus _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
