User.js: OT: OCSP and CRL

Created on 14 Nov 2020 · 4Comments · Source: arkenfox/user.js

@Thorin-Oakenpants and @earthlng

Hey guys. This is OT, but I value your opinion mountain high.

Could you be so kind and comment this topic here: https://github.com/nextdns/metadata/issues/470

Thank you and cheers

Source

crssi

Most helpful comment

I'm not sure what you want me to do?

https://scotthelme.co.uk/revocation-checking-is-pointless/ ... "the purposes of this blog post is to demonstrate that revocation checking really is pointless as it currently stands" .. "One of the biggest problems with existing revocation mechanisms is their soft-fail nature" (emphasis in both = mine) ... and then he shows just that, by blocking at a network level via PiHole

We don't soft-fail

user_pref("security.OCSP.require", true);

FYI: Jan 2020 : https://blog.mozilla.org/security/2020/01/21/crlite-part-3-speeding-up-secure-browsing/ - pretty sure FF is using this by default by now

reducing the need to actively query such information one by one. Additionally this new technology eliminates the privacy leak that individual queries can bring

https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Comparison_to_CRLs

OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information

As stated in 1211, "It's a trade-off between security (checking) and privacy (leaking info to the CA)". And it looks as if that thread is suggesting to disable all checking

The question you should be asking is if Firefox uses secure connections with CAs. IDK the answer, but I would assume that browsers use as much encryption as possible. At the end of the day, either turn the thing off and compromise security (the risk might be super low, but it is a risk), or use what is currently available in the best config you have

Thorin-Oakenpants on 15 Nov 2020

👍3 ❤1

All 4 comments

I'm not sure what you want me to do?

We don't soft-fail

user_pref("security.OCSP.require", true);

FYI: Jan 2020 : https://blog.mozilla.org/security/2020/01/21/crlite-part-3-speeding-up-secure-browsing/ - pretty sure FF is using this by default by now

reducing the need to actively query such information one by one. Additionally this new technology eliminates the privacy leak that individual queries can bring

https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Comparison_to_CRLs

OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information

As stated in 1211, "It's a trade-off between security (checking) and privacy (leaking info to the CA)". And it looks as if that thread is suggesting to disable all checking

Thorin-Oakenpants on 15 Nov 2020

👍3 ❤1

Thank you @Thorin-Oakenpants, not only for this commenting but overall.

❤️ U
Cheers 😃

p.s. Close issue it at your will.

crssi on 15 Nov 2020

The question you should be asking is if Firefox uses secure connections with CAs. IDK the answer, but I would assume that browsers use as much encryption as possible.

At least with LetsEncrypt and Google, Firefox uses port 80 with HTTP <= 1.1 even in HTTPS-only mode judging by about:networking#http. I have been looking there trying HTTP/3 and having OCSP checking enabled with hard-failing.

In my opinion a better option than blocking OCSP (and thus decreasing security and risking giving credentials to revoked certificate compromising privacy) would be having a browser extension or similar to tell whether website is using OCSP stapling or not and then asking the administrators if they could enable the OCSP stapling. While it wouldn't resolve the issue entirely, it would decrease connections made to the CA.

I am coming from following https://github.com/nextdns/metadata/issues/470 where my comment may be more relevant, but I think it would be too weird to reply to a question here there.