On 2020-05-15 08:47, Peter Gutmann wrote:
Hanno Böck <ha...@hboeck.de> writes:
The impact it had was a monitoring system that checked whether the
certificate of a host was okay, using gnutls-cli with ocsp enabled (which
also uncovered a somewhat unexpected inconsistency in how the gnutls cli tool
behaves[1]).
Sure, but if the only impact was on a specially-configured setup (gnutls-cli
with OCSP explicitly enabled rather than a standard web browser) then it
didn't have any real impact on actual users.
Browsers by default just ignore any OCSP error. So while the browser
might have seen an error getting the OCSP reply, the user is not aware
of it.
So it's possible that a certificate was revoked, but because OCSP was
down that the browser connected to the website without any error, while
it should have given an error. So it's possible that there was a real
impact on actual users.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy