On 2016-09-27 01:18, Jakob Bohm wrote:
It would perhaps be useful if you could dispute, using Firefox as an
example, and considering the real deployment (not the theorhetical
abstract of ways in which someone 'might' configure about:flags, but
no one can and still have the same experience), the following points:
https://www.imperialviolet.org/2011/03/18/revocation.html
This tells me that Firefox OCSP defaults are *insecure* and reaffirms
my impression that Firefox has completely dropped the ball on CRL
handling (Since the security-on setting is for OCSP only).
It also claims (with apparent evidence) that other browsers are
similarly lenient by default, which is a surprise.
You should really try and set the OCSP check to mandatory, connect on
many different networks, and then see how many times it breaks.
For instance when you connect to a captive portal and it does https it's
very likely that the OCSP check will fail.
We really want OCSP stapling.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
