Related but not exactly on point:
==========
The rogue certificate found by Google was issued by the DigiNotar Public
CA 2025. The serial number of the certificate was, however, not found in
the CA system‟s records. This leads to the conclusion that it is unknown
how many certificates were issued without any record present. In order
to identify these unknown certificates and to prevent them from being
used by victims, the OCSP responder2 requests were monitored.
==========
From the Fox-IT report on DigiNotar:
http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html
iang
On 6/09/11 12:48 PM, Devdatta Akhawe wrote:
Hi folks
I was surprised to note that DigiNotar had a log of all IPs who had
requested an OCSP lookup for the bad certs. This seems like a very bad
idea on the OCSP server's part. Does Mozilla have a policy on such
behavior (maybe this question should be on dev.security.policy) ? I
feel like CAs should be explicitly told (by Mozilla) to not log OCSP
requests.
Additionally, one thing I noticed was that if I visit
https://www.secure.com in private browsing mode; Firefox makes a OCSP
request. After closing private browsing mode and going back to the
normal mode, if I go to https://www.secure.com then Firefox caches the
OCSP responses and doesn't make a new OCSP request. This seems like a
leak of information that should be disabled. What do others think?
Thankfully, if I close Firefox after private browsing mode, then
Firefox doesn't cache the OCSP response.
-Devdatta
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
