[openssl-users] Thoughts about security, privacy, ...

Walter H. Walter.H at mathemainzel.info
Sat Oct 31 18:11:29 UTC 2015 

On 31.10.2015 13:01, Michael Ströder wrote:
> Walter H. wrote:
>> On 30.10.2015 21:42, Michael Ströder wrote:
>>> Walter H. wrote:
>>>> On Thu, October 29, 2015 11:07, Jakob Bohm wrote:
>>>>> She (Eve) would know that the requesting party Alice
>>>>> was talking to Bob at the very moment she sent Trent
>>>>> the OCSP *request* for Bob's certificate.
>>>>>
>>>>> [...] equivalent of having (almost complete) real time
>>>>> copies of everybody's phone bill/call records.
>>>>> Who was calling who at what time.
>>>> this is not a problem as long as the public keys (the certificates) are
>>>> not really public;
>>>> because in your example Eve doesn't have the knowledge which certificate
>>>> the specific serial number has ...
>>>>
>>>> if the public keys (the certificates) are searchable by public - the worst
>>>> case direct by a search engine like google - then you would get an
>>>> absolute security whole:
>>> Update for you: https://crt.sh/
>>>
>> you know the difference between SSL and S/MIME?
> I know the difference very well - probably even longer than you.
sorry I don't think so, because you didn't really reply anything in 
connection with S/MIME as I mentioned,
you gave an "update" relevant to SSL ...

> Note:
> 1. Google's certificate transparency project is not limited to certain
> certificate types.
sure?
give me a hint for finding S/MIME certificates, finding my own would be 
nice;

for SSL/TLS-certificates I don't need this, I use just this

<script>
#!/bin/bash
#
# usage: retrieve-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}

echo |\
   openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
     sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p
</script>

> 2. Privacy concerns are raised because of browsers validating server certs via
> OCSP during TLS connect.
are you sure, think of validating a certificate like this:
<cert-san>
X509v3 Subject Alternative Name:
DNS:rsc.cdn77.org, DNS:*.rsc.cdn77.org, DNS:*.c.cdn77.org, 
DNS:cdn.perfdrive.com, DNS:www.secure.nsw.gov.au, DNS:www.cdn77.com, 
DNS:info.gossipslots.eu, DNS:*.r2games.com, DNS:cdn.medio.com, 
DNS:*.cdn77-ssl.net, DNS:static.netverify.com, DNS:static.popads.net, 
DNS:c1.popads.net, DNS:cdn77.clickfun.com, DNS:content.thunderkick.com, 
DNS:cdn.xsolla.com, DNS:cdns.kinguin.net, DNS:cdn.ometria.com, 
DNS:static.victorinox.com, DNS:images.victorinox.com, 
DNS:uat.static.victorinox.com, DNS:static1.zuerich.com, 
DNS:uat.images.victorinox.com, DNS:ret.tyroodr.com, 
DNS:unic.static.victorinox.com, DNS:static.jumio.com, 
DNS:static.netswipe.com, DNS:cdn77.clickfuncasino.com, 
DNS:assets.victorinox.com, DNS:cache.graphicslib.viator.com, 
DNS:cache.vtrcdn.com, DNS:m.vtrcdn.com, DNS:partner.vtrcdn.com, 
DNS:cdn.qbaka.net, DNS:i.gocollette.com, DNS:cdn.ctnsnet.com, 
DNS:videos.kinkylove.com, DNS:images.kinkylove.com, DNS:cdn.igopost.com, 
DNS:cdn3.merchenta.com, DNS:cdn.sscontent.com, DNS:cnt.booming.de, 
DNS:cdn.exactag.com, DNS:cdn.garantibil.se, DNS:cloud.majestic.co.uk, 
DNS:cdn.eprofessional.de, DNS:cdn.webstaurantstore.com, 
DNS:cdn.darkstarrisen.com, DNS:static-vid.ibotta.com, 
DNS:cdn.contentdn.net, DNS:cdn.nailsuperstore.com, 
DNS:info.drakecasino.eu, DNS:media.lingeriestyling.com, 
DNS:info.gtbets.eu, DNS:cdn.levenhuk.com, DNS:cdn.axonify.com, 
DNS:cdn.propellant.dk, DNS:static.scania.com, DNS:cdn.majestic.co.uk, 
DNS:cdn.professionalthemes.nyc
</cert-san>
and what it would say to me, if I knew that you just validated a 
certificate of CA x with serial 36635145454,
then tell me where there is a raise of privacy concerns ...
> =>  OCSP should be feasible over TLS in the spirit of RFC 7258.
as long as many CAs even have their 2048 bit root keys,*)
they had many years before ...
there is no need for OCSP over TLS

*) some had them years ago using MD5, then using SHA1 and maybe now 
using SHA2 ...

security and usability has a higher priority for me than privacy ...

Greetings,
Walter




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151031/cd645842/attachment-0001.bin>

More information about the openssl-users mailing list