OCSP hard-fail
-
rschulz last edited by
Opera should add an option, to opt-in into OCSP hard-fail. Firefox and Explorer allow this configuration and I think that it makes sense in the wake of heartbleed. An error to connect to the OCSP server should either produce an error message or at least a warning (similar to mixed content).
For background:- http://arstechnica.com/security/2014/04/how-heartbleed-transformed-https-security-into-the-stuff-of-absurdist-theater/
- http://security.stackexchange.com/questions/55457/how-to-configure-browser-to-detect-revoked-certificates
- http://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html
-
-
Deleted User last edited by
Opera 12 always operates that way, it can't not. But I have no idea how the 15+ series behaves.
-
rschulz last edited by
I created a test page to see how browsers behave: http://crt.rschulz.eu. It shows that Opera doesn't detect if the OCSP or CRL server is not reachable.
-
Deleted User last edited by
@rschulz Opera should add an option, to opt-in into OCSP hard-fail.
This would be a good feature. But error pages or warnings may annoy users and they would disable the feature as certificate warnings occuring on website were often clicked away.
And what can a user do, if a OCSP and/or CRL server is not reachable? Stop surfing?
No, i remmber OCSP problems with some CAs years ago with Opera 10 and 11. The only workaround was: disable "OCSP Validate Certificates"I think that it makes sense in the wake of heartbleed
Why? Do you think the feature really helps standard users secured against compromised CAs or MiM attacks? or do you thins the feature would be good for Opera longtime pros/geeks?
-
rschulz last edited by
Most OCSP are getting pretty good with the uptime. See http://uptime.netcraft.com/perf/reports/performance/OCSP . I think a reasonable response of a user accessing a large e-commerce site, which is probably using a reliable CA, over a public wifi, is not enter a credit card if such a warning is shown. Very similar to the case where a site shows a self-signed certificate.
I don't think it should be a fatal error. Some CA's still have unreliable CAs. One could use the netcraft data to handle them differently, but adding that information to the warning. But even for the reliable CAs it is still possible to not have access to the OCSP server (e.g. firewall or captive portals). Opera should show a dialog similar to the one it shows for self-signed certificates. This lets the user decide whether the risk is reasonable.
Soft-fail is completely useless: https://www.imperialviolet.org/2014/04/29/revocationagain.html. The argument by netcraft (http://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html) that at least CRL isn't useless without hard-fail isn't correct, because Opera doesn't cache CRLs between browser restarts. Thus Opera should either remove CRL/OCSP checks completely and add crlset (as Chrome - of course this means that no revocation checking is done for most sites not included in crlset), or should show some warning if the CRL/OCSP isn't accessible. As it is right now the revocation checking is simply broken and useless.
-
Deleted User last edited by
OK, OCSP works, mostly.
I may be wrong, but OCSP depends on correct domain-to-IP resolving if sub-/domains are used. You cant really trust domain servers.
Yes, DNSSec exists. -
rschulz last edited by
OCSP works until it is needed. See in https://www.imperialviolet.org/2012/02/05/crlsets.html the comparison to the seat-belt. A hacker which can do a MITM attack (the main reason to have certificates), can block access to the OCSP server in all important cases. Thus without a warning that the OCSP server isn't reachable, OCSP is completely useless because it fails exactly when it is needed (someone is attacking you).
