[SSL Observatory] SSL CA compromise in the wild
Sid Stamm
sid at mozilla.com
Wed Mar 23 15:13:33 PDT 2011
On 3/23/11 3:10 p, Jacob Appelbaum wrote:
> I think it makes sense to create a community of caching OCSP proxy
> servers. Browsers could use it in the event of a CA failure.
>
> It's not too much more of a privacy nightmare than OCSP without hard
> failures... Is it?
It's dependent on who runs the proxies and whether or not users trust
the organization -- and also dependent on where you place your privacy
values. The trust landscape changes if you do load-balancing of OCSP
via proxy, shifting some of the trust from the CAs to the proxy servers.
Perhaps for OCSP uptime you're trading your browsing habits.
Old privacy concern: MITM.
New privacy concern: panoptiproxy.
-Sid
More information about the Observatory
mailing list