[openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL
Jakob Bohm
jb-openssl at wisemo.com
Tue Sep 26 13:22:13 UTC 2017
On 26/09/2017 14:31, Richard Moore wrote:
>
>
> On 26 September 2017 at 02:36, Kyle Hamilton <aerowolf at gmail.com
> <mailto:aerowolf at gmail.com>> wrote:
>
> On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore
> <richmoore44 at gmail.com <mailto:richmoore44 at gmail.com>> wrote:
> >
> > It's also worth pointing out that CAs are banned from running
> OCSP servers over HTTPS anyway and it isn't needed since the
> responses are already signed - http is fine.
>
> That argument fails when you consider that some people want the
> details of who they're talking to or asking about to be confidential,
> not merely authentic.
>
>
> That doesn't change the fact it's banned.
>
But ONLY for CAB/F regulated public CAs.
>
> I'm a believer in the idea that SNI and the Certificate messages
> should happen under an ephemeral DH or ephemeral ECDH cover. Others
> fear-monger to say "maybe they shouldn't".
>
>
> There are a lot of other things that would also need addressing to
> make it secret /who/ you're talking to. It's not something https
> guarantees right now. If you'd like it to that would be a whole other
> discussion.
>
However wiretapping a few central non-https OCSP responders is one
of the few attacks that will reveal this without wiretapping the
actual connection.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list