Re: what is the “Online Certificate Status Protocol”
The simple answer as to why OCSP isn't itself via HTTPS is that this would be a cyclical dependency: if you need to accept a certificate, you need to confirm its continuing validity. If you have to use a connection relying on that same logic to confirm validity, at what point are you then able to make a connection? The cryptographic component of OCSP, as WIkipedia points out, is providing a validating signature with the response. On 9 Mar 2011, at 09:30, erikmccaskey64 wrote: > But: with wireshark i can see some "OCSP" packets [ http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ] > > > Question: What are these packets? Why aren't there in HTTPS? [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: what is the “Online Certificate Status Protocol”
On Wed, Mar 09, 2011 at 03:03:22PM -0430, Andres Perera wrote: > On Wed, Mar 9, 2011 at 9:27 AM, Joachim Schipper > wrote: > > On Wed, Mar 09, 2011 at 01:30:39AM -0800, erikmccaskey64 wrote: > >> I use privoxy. In the user.action file i have a redirect rule and a > >> few websites: > >> > >> > >> { +redirect{s@http://@https://@} } > >> .twitter.com > >> .facebook.com > > > > (...) your setup seems to work just fine (or as well as SSL does in > > the first place). The "HTTPS Everywhere" Firefox extension would be a > > less hacky solution, though. > > i'm curious as to why do you say that. afaik, https everywhere also > works by rewriting the uri, just like privoxy or squid would, while > not being limited to one browser, not being unable to log actions, not > being unable to scale for a whole site instead of a single system, > etc. I dislike "transparently" messing with connections. If you use HTTPS Everywhere, it's still your browser talking to Facebook/Twitter/whatever. Additionally, if Facebook ever sets its session cookes on, say, facebookapi.com instead of facebook.com, the extension is likely to receive an upgrade. But yes, this is somewhat subjective; I'll try to make that clearer next time. Joachim -- TFMotD: perlrequick (1) - Perl regular expressions quick start http://www.joachimschipper.nl/
Re: what is the “Online Certificate Status Protocol”
On Wed, Mar 9, 2011 at 9:27 AM, Joachim Schipper wrote: > On Wed, Mar 09, 2011 at 01:30:39AM -0800, erikmccaskey64 wrote: >> I use privoxy. In the user.action file i have a redirect rule and a few websites: >> >> >> { +redirect{s@http://@https://@} } >> .twitter.com >> .facebook.com >> >> >> Ok! it's working great, e.g.: if i visit any "*twitter.com" URL it gets redirected to HTTPS! >> >> >> But: with wireshark i can see some "OCSP" packets [ http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ] >> >> >> Question: What are these packets? Why aren't there in HTTPS? >> >> >> Is my redirection method with privoxy is secure? > > The keys to legitimate certificates may fall in the hands of bad guys > (e.g. when they hack a HTTPS server). This would allow the bad guys to > redirect your HTTPS connections to their own machines without you seeing > any warnings until the stolen certificates are no longer valid (which > should allow them something like a year to steal your credit card). > > In order to prevent this, your computer asks a special server whether > the certificate has been revoked. This is done over the OCSP protocol > (there are other solutions); the connection is not encrypted, but the > OCSP server's responses are digitally signed. > > So yes, your setup seems to work just fine (or as well as SSL does in > the first place). The "HTTPS Everywhere" Firefox extension would be a > less hacky solution, though. i'm curious as to why do you say that. afaik, https everywhere also works by rewriting the uri, just like privoxy or squid would, while not being limited to one browser, not being unable to log actions, not being unable to scale for a whole site instead of a single system, etc. > > B B B B B B B B Joachim > > -- > PotD: biology/bioperl - perl tools for bioinformatics > http://www.joachimschipper.nl/
Re: what is the “Online Certificate Status Protocol”
On Wed, Mar 9, 2011 at 4:30 AM, erikmccaskey64 wrote: > I use privoxy. In the user.action file i have a redirect rule and a few > websites: What version of OpenBSD are you running? -- -- Paul D. Ouderkirk Senior UNIX System Administrator p...@ouderkirk.ca -- laughing, in the mechanism -- William Gibson
Re: what is the “Online Certificate Status Protocol”
On Wed, Mar 09, 2011 at 01:30:39AM -0800, erikmccaskey64 wrote: > I use privoxy. In the user.action file i have a redirect rule and a few > websites: > > > { +redirect{s@http://@https://@} } > .twitter.com > .facebook.com > > > Ok! it's working great, e.g.: if i visit any "*twitter.com" URL it gets > redirected to HTTPS! > > > But: with wireshark i can see some "OCSP" packets [ > http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ] > > > Question: What are these packets? Why aren't there in HTTPS? > > > Is my redirection method with privoxy is secure? The keys to legitimate certificates may fall in the hands of bad guys (e.g. when they hack a HTTPS server). This would allow the bad guys to redirect your HTTPS connections to their own machines without you seeing any warnings until the stolen certificates are no longer valid (which should allow them something like a year to steal your credit card). In order to prevent this, your computer asks a special server whether the certificate has been revoked. This is done over the OCSP protocol (there are other solutions); the connection is not encrypted, but the OCSP server's responses are digitally signed. So yes, your setup seems to work just fine (or as well as SSL does in the first place). The "HTTPS Everywhere" Firefox extension would be a less hacky solution, though. Joachim -- PotD: biology/bioperl - perl tools for bioinformatics http://www.joachimschipper.nl/
Re: what is the “Online Certificate Status Protocol”
On 03/09/11 09:30, erikmccaskey64 wrote: > I use privoxy. In the user.action file i have a redirect rule and a few > websites: > > > { +redirect{s@http://@https://@} } > .twitter.com > .facebook.com > > > Ok! it's working great, e.g.: if i visit any "*twitter.com" URL it gets > redirected to HTTPS! > > > But: with wireshark i can see some "OCSP" packets [ > http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ] > > > Question: What are these packets? Why aren't there in HTTPS? > > > Is my redirection method with privoxy is secure? > > > Thank you for any tips/opinions! > > Hi, SSL Certificates chains should be validated before they are used, OCSP is one method used as part of the validation process, this is done during the establishment of an SSL connection and is not encrypted. SSL encryption should only be used once the certificate / public key chain has been validated. If a certificate chain is compromised you don't want to use it, because someone might be decrypting the traffic thought to be safe. Look in the certificates you will find URLs for CRL, and/or OSCP. Regards Nigel Taylor
what is the “Online Certificate Status Protocol”
I use privoxy. In the user.action file i have a redirect rule and a few websites: { +redirect{s@http://@https://@} } .twitter.com .facebook.com Ok! it's working great, e.g.: if i visit any "*twitter.com" URL it gets redirected to HTTPS! But: with wireshark i can see some "OCSP" packets [ http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ] Question: What are these packets? Why aren't there in HTTPS? Is my redirection method with privoxy is secure? Thank you for any tips/opinions!