[SSL Observatory] SSL CA compromise in the wild
Sid Stamm
sid at mozilla.com
Wed Mar 23 15:07:30 PDT 2011
On 3/23/11 2:58 p, Adam Langley wrote:
> On Wed, Mar 23, 2011 at 5:41 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>> HSTS helps because at least with Chrome, it requires OCSP checking to
>> pass. Thus a MITM cannot (without compromising the CA entirely) simply
>> deny CRL/OCSP checks.
>
> Unfortunately this might change in the future if we want more
> significant Google properties to enable HSTS. We are not willing to
> tie our fate to the serving ability of our CA.
Would serving a stapled OCSP response help? I think it's not necessary
to have a live OCSP server connection, but a timely response in one way
(stapled) or another (live).
-Sid
More information about the Observatory
mailing list