Open SkewedZeppelin opened 4 months ago
Thanks.
presumably could either allowlist the OCSP domains
We'll try to include this allowlist it in the next version.
Does the fork bypass stapled OSCP?
you know of a more maintained list that'd be appreciated
I thought raw OSCP (vs stapled) was niche.
It does prefer CRLite and stapling, but still seems to fallback to plain OCSP queries for some sites.
Mull uses arkenfox for this which covers it here https://github.com/arkenfox/user.js/issues/1576
Recently had a Mull user unable to visit many websites. My Mull has certification revocation strictly enforced with preference to CRLite and fallback to OCSP.
OCSP however runs on port 80.
I don't know the internals of how this feature works, but presumably could either allowlist the OCSP domains or try to identify OCSP requests.
The former is likely easier, but more fragile.
I do however keep a list of known OCSP domains here:
(If you know of a more maintained list that'd be appreciated :slightly_smiling_face: )
I've also seen a lot of blocklists contain these, so maybe an option to exclude them as well would be good.