JeremyRand
commented
3 years ago The response headers can be MITM'ed by an attacker since AIA doesn't connect over TLS, but AFAICT the only thing a spoofed caching header can do is DoS things, and anyone who can do a MITM has lots of easier ways of DoSing things.
Also see https://github.com/namecoin/ncdns-nsis/issues/87 for a different way this issue can manifest, with a different proposed solution. (I think we should do both solutions, but the one in this issue should be deployed first so that we can hopefully smoke out any remaining AIA cache issues).
We are still running into occasional issues where an AIA Parent certificate will be loaded from the CryptNet cache (as opposed to the network) on Windows even though the cached cert has expired. This causes cert validation to fail when revisiting a site that was previously visited some days/weeks ago. This doc insinuates that the cache keeps track of the following response headers:
Last-Modifiedmax-ageinCache-ControlETagThis means we might be able to fix this breakage by including those response headers in Encaya. (Right now, none of them are included by Encaya.)