[SSL Observatory] State of SSL-brokenness: Google wants to disable CRL/OCSP
Ralph Holz
holz at net.in.tum.de
Mon Feb 6 13:47:48 PST 2012
Hi,
On 02/06/2012 08:18 PM, Hanno Böck wrote:
> Seems google noted that using OCSP and not rejecting certificates on
> connection failure doesn't make much sense:
> http://www.imperialviolet.org/2012/02/05/crlsets.html
>
> So they decided that they'll probably disable OCSP altogether. Not sure
> what I should think of it (seriously, they're probably right to disable
> something that is broken anyway).
I like the reasoning but would reach slightly different conclusions.
Mainly because I don't think OCSP is so broken we should turn it off.
Unless your attacker is so strong he can control and suppress your IP
traffic right at your gateway, OCSP will still work. They are right
about the soft-fail, however. So I guess OCSP + stapling would be
better, and it may be the more viable solution.
I also hesitate because moving the revocation part into the browser
updates doesn't seem very scalable. It will help by adding revocation
info for important sites, sure, but where do you draw the line? How many
sites do you want to add and monitor as a browser vendor? What about
open source browsers - are they supposed to follow this lead and track
revocations for x sites, by crawling the Web as Google can do? What
about the many revocations that come without a reason (that might
actually be the majority) - how should they be treated? And finally,
will CAs be happy to comply here?
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20120206/13a61766/attachment.sig>
More information about the Observatory
mailing list