Re: Dowaloading crl

[Amar Desai]

It seems like OCSP and CRL both are vulnerable to DOS.
It woulld be good if you can explain me how signed OCSP requests provide 
better tracing.
So does it mean, it is not very secure to add such a functionality in 
OpenSSL. And if this is so, i think  for OCSP also it is same.
Regards
Amar





Vadim Fedukovich wrote:

On Thu, Jul 17, 2003 at 10:56:06PM +0200, Dr. Stephen Henson wrote:
 

On Wed, Jul 16, 2003, Amar Desai wrote:

   

Hi All
I would like to know what are the security concerns if we provide a 
functionality of downloading a CRL (in case where there is no crl in 
specified direcotry or file) in the get_crl function using say wget?

     

You should be careful that you don't download CRLs for unstrusted
certificates. If you do there are several possible concerns:
DOS attack. The CRL download could be made very slow, either by throttling
the connection or including a huge CRL.
   

In SET, CRLs were made part of the business. That is, one could try DOS it
as a whole but cant hurt just CRL pickup.
Maybe one could send CRLs as part of TLS handshake

 

Leaking information about the caller. If the CRL downloader is on a machine
that isn't public then some details about it can be obtained (IP address etc).
   

It's unlikely non-public IP address will be shown after an ip-masquerading
host (a very popular solution). Yes, at least one http proxy (squid,
another popular solution) can insert "X-Forwarded-For: 192.1.2.3" headers
into outgoing requests unless default config was changed.
Any online status check leaks info on who deals with whom.
OCSP clients with signed requests provides even better tracing
Surprisingly there's still a very limited interest in anonymous
or controlled-leaks solutions.
 

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
   

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
 



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]