On 26/09/2017 14:31, Richard Moore wrote:
On 26 September 2017 at 02:36, Kyle Hamilton <[email protected] <mailto:[email protected]>> wrote:On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore <[email protected] <mailto:[email protected]>> wrote: > > It's also worth pointing out that CAs are banned from running OCSP servers over HTTPS anyway and it isn't needed since the responses are already signed - http is fine. That argument fails when you consider that some people want the details of who they're talking to or asking about to be confidential, not merely authentic. That doesn't change the fact it's banned.
But ONLY for CAB/F regulated public CAs.
I'm a believer in the idea that SNI and the Certificate messages should happen under an ephemeral DH or ephemeral ECDH cover. Others fear-monger to say "maybe they shouldn't".There are a lot of other things that would also need addressing to make it secret /who/ you're talking to. It's not something https guarantees right now. If you'd like it to that would be a whole other discussion.
However wiretapping a few central non-https OCSP responders is one of the few attacks that will reveal this without wiretapping the actual connection. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
