Open unclebearbot opened 3 years ago
Birbber
commented
3 years ago @nvxarm It's an expected behavior. In terms of checking certificates we copy the behavior of most browsers, but they don't use OCSP on android (apparently to save traffic and reduce the already large network delays), so it isn't considered as a bug.
unclebearbot
commented
3 years ago Thanks for the detailed explanation.
Is there any plan to implement such function? As Firefox can recognize and block it, without adding any observable overhead.
It would be important when encountering public security incidents such as the disclosure of private keys.
Birbber
commented
3 years ago @nvxarm We didn't plan to implement such feature, but will think about it later on. It will depend on the amount of users that might need it.
sfionov
commented
3 years ago Just to clarify: revocation checks are performed on Mac and Windows, and not performed on Android.
It is more than one solution for this task - detecting revocation-check-enabled browsers or providing an option to force it.
So, may be in future :)
unclebearbot
commented
3 years ago Thank you for your patience and glad to hear the confirmation.
BTW, Firefox seems to place OneCRL (and/or upcoming CRLite) in front of OCSP. Although it can’t cover all situations as it may still have to fallback to OCSP in theory, it just works well in practice. Furthermore, validations on short-lived signatures are skipped.
Maybe we can learn from its mechanism.
Prerequisites
Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.
Issue Details
Expected Behavior
Actual Behavior
The page was not blocked but shown as trusted by AdGuard instead. Because AdGuard re-signed it with a valid certificate as below screenshot 2.
Screenshots
Screenshot: blocked by Firefox
Screenshot: re-signed by AdGuard
Additional Information