beerisgood
commented
3 years ago Same nonsense as https://github.com/nextdns/metadata/pull/468
OCSP isn't spying. It's for secure connections
Closed it-can closed 3 years ago
beerisgood
commented
3 years ago Same nonsense as https://github.com/nextdns/metadata/pull/468
OCSP isn't spying. It's for secure connections
it-can
commented
3 years ago Same nonsense as #468
OCSP isn't spying. It's for secure connections
Would be nice to have an opt-in in nextdns I think.
beerisgood
commented
3 years ago Would be nice to have an opt-in in nextdns I think.
Why? If you think you need to block this and reduce your security, add the domain(s) to your blacklist.
it-can
commented
3 years ago Would be nice to have an opt-in in nextdns I think.
Why? If you think you need to block this and reduce your security, add the domain(s) to your blacklist.
Read scott his blog...
beerisgood
commented
3 years ago Read scott his blog...
Read the comments on his blog, e.g.:
I understand the weaknesses in validation, but the assertion that validation (crl or ocsp)is pointless doesn't hold water. Disabling validation through DNS or client-side settings is a self-imposed vulnerability, and says nothing about the underlying validation mechanism. It's akin to disabling your home security system and claiming that alarms/cameras/motion detectors are pointless.
https://scotthelme.co.uk/revocation-checking-is-pointless/#comment-4834056007
So the guy post a blog about his research but he doesn't understand what he do.
You can read about both feature: https://en.wikipedia.org/wiki/Certificate_revocation_list https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
m-p-3
commented
3 years ago Same nonsense as #468
OCSP isn't spying. It's for secure connections
Which ironically isn't encrypted. So whoever sniffing traffic can see what you're doing.
Date, Time, Computer, ISP, City, State, Application Hash
Just compile a comprehensive list of hashes, and you know which app someone is launching over the network, it's a builtin backdoor!
beerisgood
commented
3 years ago Just compile a comprehensive list of hashes, and you know which app someone is launching over the network, it's a builtin backdoor!
Made my day.
crssi
commented
3 years ago I felt not being confident (and still do) in my inner judgement, and after reading Thorin-Oakenpants response I could see that @it-can and @JJayet proposition might not be pointless, worth considering and giving end users choice.
beerisgood
commented
3 years ago Some people obviously don't understand the purpose or mechanism of the Online Certificate Status Protocol (OCSP).
A report wrote, macOS sends an "application hash" each time you run the app. This "hash" is the encoded, already-known certificate that is sent to the OCSP server for the validity check.
The same happens when you go to a website that supports OCSP and use Firefox …
Read more at https://blog.jacopo.io/en/post/apple-ocsp/
crssi
commented
3 years ago @beerisgood I understand what you are trying to say but, thinking more and more here (lol... me thinking??? 😄), is waging between security and privacy. You are talking about security and OP is talking about privacy and both of you are right... it just depends what means more to the user on the end. So to meet in the middle, it would be nice for the end user to have a choice.
And, I am sure you two would meet somewhere in the middle in bar with unlimited quantities of beer for dispose. 😄 Wouldn't you agree more? 😉
Here is the topic is have asked Thorin and BigE for opinion: https://github.com/arkenfox/user.js/issues/1063
Refering to https://github.com/arkenfox/user.js/blob/ccbca41e2d73fa63908fd87c2a7d35615016e7f7/user.js#L675-L681
Cheers
beerisgood
commented
3 years ago Security should always be preferred but of course I'm fine if a option exist to block such stuff for increased privacy.
Mikaela
commented
3 years ago I hope option for OCSP blocking would be opt-in rather than opt-out (https://github.com/nextdns/metadata/issues/470#issuecomment-726966135) as blocking OCSP by default would stop the aforementioned Arkenfox user.js using (https://github.com/arkenfox/user.js/issues/1063#issuecomment-727316615) and other OCSP hard-failing browsers from working.
m-p-3
commented
3 years ago @beerisgood
Read more at https://blog.jacopo.io/en/post/apple-ocsp/ No, macOS does not send Apple a hash of your apps each time you run them.
Thanks, looks like I misunderstood what was said from the initial articles. Consider me correctly educated on the matter then :)
crssi
commented
3 years ago Tested the OCSP and CRL blocking now for 24 hours. Obviously OSCP has to be disabled or soft failing in browsers for this to work... but will never know the results applications and IoT's specifically.
Block CRLs and stuff will start to break. Yesterday evening the kid complained that login to EPIC is failing... guess what was the reason? Today the kid couldn't connect to Teams for remote schooling (due to Corona sh*t)... guess what was the reason?
For now, blocking OCSP if fine and blocking CRL is a BIG NO NO.
Will update for OCSP if I find something new.
Cheers
UPDATE: If OCSP is not forced by the applications, which normally are not, then blocking it breaks nothing. Blocking CRL on the other hand brings a lot of breakages.
It would be nice if we can get https://github.com/ScottHelme/revocation-endpoints/blob/master/ocsp.txt into blocklist NextDNS option.
romaincointepas
commented
3 years ago Aside from ocsp.apple.com (when launching apps on macOS, see recent outrage), major browsers don't really use that anymore and don't send your entire browsing history to some remote servers (as this was implied in some blog posts we read).
crssi
commented
3 years ago We don't have only browsers on our networks. 😉 Is there any other reason for you to refuse adding this list (OCSP) to the collection for user to decide? If it is not a trouble, please, add it.
Thank you and cheers
beerisgood
commented
3 years ago crssi
commented
3 years ago @beerisgood
After Apple is bypassing firewalls and vpn apps and exposing your public ip fiasco, my trust to the Apple is shattered even more. 😢
They can do that sh*t and its a "low hanging fruit".
beerisgood
commented
3 years ago @beerisgood After
Apple is bypassing firewalls and vpn apps and exposing your public ipfiasco, my trust to the Apple is shattered even more. 😢They can do that sh*t and its a "low hanging fruit".
that is also wrong. Read https://www.reddit.com/r/privacy/comments/k07yan/macos_big_sur_does_not_bypass_vpns/
crssi
commented
3 years ago Oh... my bad and apologies. Thank you @beerisgood, appreciated. 😄
I think these blocklists (ocsp and crl) need to be added to nextdns.
https://github.com/ScottHelme/revocation-endpoints
Some background info:
https://scotthelme.co.uk/revocation-checking-is-pointless/
https://sneak.berlin/20201112/your-computer-isnt-yours/