Hi folks I was surprised to note that DigiNotar had a log of all IPs who had requested an OCSP lookup for the bad certs. This seems like a very bad idea on the OCSP server's part. Does Mozilla have a policy on such behavior (maybe this question should be on dev.security.policy) ? I feel like CAs should be explicitly told (by Mozilla) to not log OCSP requests.
Additionally, one thing I noticed was that if I visit https://www.secure.com in private browsing mode; Firefox makes a OCSP request. After closing private browsing mode and going back to the normal mode, if I go to https://www.secure.com then Firefox caches the OCSP responses and doesn't make a new OCSP request. This seems like a leak of information that should be disabled. What do others think? Thankfully, if I close Firefox after private browsing mode, then Firefox doesn't cache the OCSP response. -Devdatta _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
