Related but not exactly on point:
==========
The rogue certificate found by Google was issued by the DigiNotar Public
CA 2025. The serial number of the certificate was, however, not found in
the CA system‟s records. This leads to the conclusion that it is unknown
how many certificates were issued without any record present. In order
to identify these unknown certificates and to prevent them from being
used by victims, the OCSP responder2 requests were monitored.
==========
From the Fox-IT report on DigiNotar:
http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.htmliang
On 6/09/11 12:48 PM, Devdatta Akhawe wrote:
> Hi folks
>
> I was surprised to note that DigiNotar had a log of all IPs who had
> requested an OCSP lookup for the bad certs. This seems like a very bad
> idea on the OCSP server's part. Does Mozilla have a policy on such
> behavior (maybe this question should be on dev.security.policy) ? I
> feel like CAs should be explicitly told (by Mozilla) to not log OCSP
> requests.
>
> Additionally, one thing I noticed was that if I visit
>
https://www.secure.com in private browsing mode; Firefox makes a OCSP
> request. After closing private browsing mode and going back to the
> normal mode, if I go to
https://www.secure.com then Firefox caches the
> OCSP responses and doesn't make a new OCSP request. This seems like a
> leak of information that should be disabled. What do others think?
> Thankfully, if I close Firefox after private browsing mode, then
> Firefox doesn't cache the OCSP response.
>
>
> -Devdatta
> _______________________________________________
> dev-security mailing list
>
dev-security@list...>
https://lists.mozilla.org/listinfo/dev-security_______________________________________________
dev-security mailing list
dev-security@list...https://lists.mozilla.org/listinfo/dev-securityopensubscriber is not affiliated with the authors of this message nor responsible for its content.
Delicious
Digg
reddit
Facebook
StumbleUpon
