Open annubiz opened 1 year ago
OCSP is normally http-only, for good reasons. All the Digicert certificates I looked at points to http://ocsp.digicert.com and you even wrote http in your message, not https.
You don't need SSL/TLS for a protocol where the payload is signed and there is no privacy requirements.
Your point is invalid.
The first major point is that without OCSP, its hard/impossible to tell if the site you think your one is /really/ the right site. It might be a fraudulent site /posing/ as the site you intended to goto to either push disinformation or plant malware on your computer. How can you tell if there is no certificate validation ? You cant.
The second major point is that OCSP.required is a browser wide setting that applies to ALL sites that a browser visits. The setting should not have to be turned on/off pending on which site your on now....AND if you have multiple tabs open for different sites and even ONE should require OCSP, then all the others will fail, because you need OCSP.required for that one site. One would have to either set your computer to the weak setting of OCSP.required OFF and /hope/ that when you goto your bank, your not being man-in-the-middled to steal your bank logon credentials....that would be really stupid. OR set it OSCP.required ON so that you can always validate that the site you intend to go to, certificate gets validated to give evidence that the site is valid.
------- Original Message ------- On Thursday, March 9th, 2023 at 2:02 PM, John Allberg @.***> wrote:
OCSP is normally http-only, for good reasons. All the Digicert certificates I looked at points to http://ocsp.digicert.com and you even wrote http in your message, not https.
You don't need SSL/TLS for a protocol where the payload is signed and there is no privacy requirements.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
In your first post you complained that Digicert does not provide OCSP over https.
I'm not arguing that OCSP is a bad thing, I'm just telling you that the OCSP protocol does not need SSL/TLS because there are other security mechanisms in place. Publishing OCSP servers has historically always been over http. Just think about what happens if you require OCSP and the TLS certificate from Digicert (if there would have been such a certificate) points to the same site for OCSP. You would end up in an endless loop. Digicert is following best practices when publishing their OCSP server over plain http.
The problem you're seeing is likely something else than requiring OCSP. Perhaps you have enabled some other browser configuration (or plugin) that redirects all http traffic to https.
I went to https://www.ssllabs.com today to test another site. I got an OCSP error trying to hit https://www.ssllabs.com. I always have security.OCSP.enabled set to 1(true) in my browser and security.OCSP.require set to true.
After I turned security.OCSP.require set to false I could hit your site. I did a little digging to find the root cause. Your certificate was issued by DigiCert and the OSCP enpoint in the cert they issued to you is http://ocsp.digicert.com/. If you do an ssl server test on ocsp.digicert.com, your report : https://www.ssllabs.com/ssltest/analyze.html?d=ocsp.digicert.com
says that DigiCert's own ocsp endpoint's certificate has a hostname mismatch. Last month the certificate was expired. Now they issued a new one that has : Alternative names | digicert.edgecastcdn.net cacerts.digicert.com dl.cacerts.digicert.com vmc.digicert.com MISMATCH
The clowns at DigiCert /ignored/ my direct request(for months) to them to fix thier expired cert. I kept running into many of their customers sites that I could not connect to without disableding OCSP validation checks. It appears that they /finally/ issued a new cert, but they did such an amateur job, that their OCSP validation /still/ wont work. I mean..its not like its their job to issue certs and should know how to do their #1 primary function..... OH it IS their job ! What a bunch of clowns.
YOU are a customer of theirs, you use their certs. Can you PLEASE contact digicert enterprise help desk and kindly point out thier error, and ask them to fix it ? please ?
I cant connect to any of their customers sites, without disabling OCSP validation...which violates cyber hygene 101.
Thank you for your time.