diff --git a/blog/2019-08-06-trouble-with-ocsp.markdown b/blog/2019-08-06-trouble-with-ocsp.markdown index 2ab0f34..981c798 100644 --- a/blog/2019-08-06-trouble-with-ocsp.markdown +++ b/blog/2019-08-06-trouble-with-ocsp.markdown @@ -5,14 +5,13 @@ date: 2019-08-06 comments: true tags: ocsp, tor, security, privacy --- -# Trouble with OCSP -> This is a post about side channel information leakage that was present in OnionBrowser in some OCSP flows. This is not a exhaustive documentation of OCSP protocol. +> This is a post about side channel information leakage that was present in OnionBrowser in some OCSP flows. This post omits a lot of details about OCSP protocol. -Digital certificates are issued for a longer timespan. It reduces maintaince overhead. Most of the cases CAs issue a certificate and they are valid untill the expiration time. +Digital certificates are issued for a longer timespan. It reduces maintenance overhead. Most of the cases CAs issue a certificate and they are valid until the expiration time. But what are we to do when a certificate is compromised? We can -re-issue a certificate, but the old one is still in the wind. Thats +re-issue a certificate, but the old one is still in the wind. That's where Online Certificate Status Protocol comes in. It defines a way to check validity of a certificate in a timely[^1] manner. @@ -30,7 +29,7 @@ the certificate itself, removing the need for another seperate request. ## Dissecting an OCSP Request -If the request is <255 bytes, OCSP allows it to be passed as a GET path. So a typical request looks like this +If the request is <255 bytes, OCSP allows it to be passed as a GET path. A typical request looks like this ```bash GET http://ocsp.int-x3.letsencrypt.org/MFgwVqADAgEAME8wTTBLMAkGBSsOAwIaBQAEFH7maudymrP8%2BKIgZGwWoS1gcQhdBBSoSmpjBH3duubRObemRWXv86jsoQISA6D%2BPqgUVCy3wtolHIxq%2Bk0e @@ -77,7 +76,7 @@ curl https://crt.sh/?serial=03a0fe3ea814542cb7c2da251c8c6afa4d1e ## Privacy Takes a Backseat. Careful examination of above workflow will reveal that the OCSP flow -is happening over HTTP. Most issuers seems to stick to http; possibly +is happening over HTTP. Most issuers seem to stick to http; possibly to avoid cyclical dependencies. This means man-in-the-middle leakage of certificates a user is validating is happening, and by extension leakage of websites user is accessing. @@ -97,11 +96,11 @@ Whenever Onion Browser accesses a website with EV cert, (for e.g I stumbled upon this accidently while inspecting requests from my iPhone with [mitmproxy](https://mitmproxy.org/). The bug was reported -to Onion Browser team and [they have a better write up of the -situation](https://github.com/OnionBrowser/OnionBrowser/wiki/2019-178:-sites-with-EV-HTTPS-certificates-leak-information-via-OCSP). Unfortunatly -it is really hard to fix. :-( +to Onion Browser team and [they have a nice write up of the +situation](https://github.com/OnionBrowser/OnionBrowser/wiki/2019-178:-sites-with-EV-HTTPS-certificates-leak-information-via-OCSP). Unfortunately, +it is hard to fix. :-( -[^1]: Opposed to checking againist a [Certificate Revocation List](https://en.wikipedia.org/wiki/Certificate_revocation_list). -[^2]: Familier readers will note that this is plain OCSP, the non-stapling kind. +[^1]: Opposed to checking against a [Certificate Revocation List](https://en.wikipedia.org/wiki/Certificate_revocation_list). +[^2]: Familiar readers will note that this is plain OCSP, the non-stapling kind. diff --git a/css/theme.css b/css/theme.css index da13dba..ea47ed5 100644 --- a/css/theme.css +++ b/css/theme.css @@ -37,6 +37,10 @@ body { text-align: left; } +blockquote { + font-style: italic; +} + video, code { font-weight: 500; max-width: 100%;