Hi Andrew. Thanks for creating this! One initial comment... I've started looking at the Sectigo OCSP responses that you've flagged, along with the corresponding OCSP requests that you sent. There seems to be a pattern for the requests that led to "malformed" responses: the base64 encodings of those requests (the ones I've looked at anyway) all seem to contain one or more occurrences of two consecutive forward-slashes. I can only reproduce a "malformed" response if I don't URL-encode those occurrences of "//" in an OCSP GET request.
Quoting Corey from https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/cMegyySSqhM/m/G7s5tFR4BAAJ: “/” is noticeably absent from the pchar production rule (which makes sense, as it’s used as the path segment delimiter), so it must be percent-encoded." So I believe that "malformed" is actually the correct response here. See also https://crt.sh/ocsp-responders, which amongst other things does a test for "GET request containing multiple forward-slashes". Can you confirm whether or not you're leaving "//" un-URL-encoded? Also, is your code for ocspwatch publicly available? ________________________________ From: [email protected] <[email protected]> on behalf of Andrew Ayer <[email protected]> Sent: 22 March 2022 15:14 To: [email protected] <[email protected]> Subject: Introducing OCSP Watch to Monitor OCSP Responder Reliability CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Recently, we've seen several CA incidents related to the failure to provide OCSP responses, such as not operating OCSP services for abandoned certificate orders <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1758027&data=04%7C01%7Crob%40sectigo.com%7C6d83072607f349d06e2d08da0c16bcd6%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637835589067323313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=H%2FHYJFcAIsa5PJFlchBwuwqXYVWmHEQI7ZwoBjDj%2Fow%3D&reserved=0>, or publishing OCSP responses with lengthy delays <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1758372&data=04%7C01%7Crob%40sectigo.com%7C6d83072607f349d06e2d08da0c16bcd6%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637835589067323313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OHNa5DARA0H1pkW9aI%2FHxFBR7Rsf0riBxhjSaFwcX2E%3D&reserved=0>. To smoke out these issues, I've created OCSP Watch, which continuously audits a sample of unexpired certificates found in Certificate Transparency logs to make sure CAs are correctly operating OCSP services. OCSP Watch has identified over 1,000 certificates issued by 20 distinct CAs for which the CA is not providing a valid OCSP response. The list of certificates can be found here: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsslmate.com%2Flabs%2Focsp_watch%2F&data=04%7C01%7Crob%40sectigo.com%7C6d83072607f349d06e2d08da0c16bcd6%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637835589067323313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ARSrjZ8C6WPePPmGM757SZzi9VS0xLCuNn6fFtdz2l8%3D&reserved=0 OCSP responses are considered valid if the responder returns a response within 10 seconds that can be successfully parsed by Go's golang.org/x/crypto/ocsp package, and has a status of Good or Revoked. CAs should examine the above list and file an Incident Report if necessary. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2F20220322111454.dd41936a93e1b576818510d9%2540andrewayer.name&data=04%7C01%7Crob%40sectigo.com%7C6d83072607f349d06e2d08da0c16bcd6%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637835589067323313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=IJyqkVyJl2e7vlp42OzzIJQ3z7QhpiFyO%2BoaPE6O4qY%3D&reserved=0. M -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47294004773DF94FF7CE8B07AA179%40MW4PR17MB4729.namprd17.prod.outlook.com.
