On Wed, Mar 09, 2011 at 01:30:39AM -0800, erikmccaskey64 wrote:
> I use privoxy. In the user.action file i have a redirect rule and a few
> websites:
>
>
> { +redirect{s@http://@https://@} }
> .twitter.com
> .facebook.com
>
>
> Ok! it's working great, e.g.: if i visit any "*twitter.com" URL it gets
> redirected to HTTPS!
>
>
> But: with wireshark i can see some "OCSP" packets [
> http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ]
>
>
> Question: What are these packets? Why aren't there in HTTPS?
>
>
> Is my redirection method with privoxy is secure?
The keys to legitimate certificates may fall in the hands of bad guys
(e.g. when they hack a HTTPS server). This would allow the bad guys to
redirect your HTTPS connections to their own machines without you seeing
any warnings until the stolen certificates are no longer valid (which
should allow them something like a year to steal your credit card).
In order to prevent this, your computer asks a special server whether
the certificate has been revoked. This is done over the OCSP protocol
(there are other solutions); the connection is not encrypted, but the
OCSP server's responses are digitally signed.
So yes, your setup seems to work just fine (or as well as SSL does in
the first place). The "HTTPS Everywhere" Firefox extension would be a
less hacky solution, though.
Joachim
--
PotD: biology/bioperl - perl tools for bioinformatics
http://www.joachimschipper.nl/
