Hello and welcome to the Friday, April 14th, 2020,

edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

In today's diary, I wrote about OCSP, the online certificate status protocol.

What sort of prompted this discussion was

when I look at my HTTP traffic, so anything that's not TLS, a large number of connections

actually are OCSP connections. So I want to dig a little bit in to what the protocol is and why we need it. OCSP connection, so I want to dig a little bit in to what the protocol is and why we need it.

OCSP is used to check if a particular TLS certificate is still valid.

It's a simple API that's embedded in certificates.

It's sort of a replacement for certificate revocation lists, even though

you sometimes find both certificate revocation lists and OCSP URLs embedded in certificates.

Now, like any protocol, OCSP is not without sort of some controversy, and browsers don't necessarily check whether or not a certificate is still valid using OCSP.

Most browsers these days, I'm talking here about Safari and Google Chrome, will basically download sets of certificate relocation lists or CRL sets, which are curated

by Google and by Apple, and they will use those lists to identify revoked certificates.

In particular, interesting, Safari will only actually check OCSP if the certificate is revoked according to the certificate

revocation list. So it kind of gives the certificate there a second chance. If OCSP returns,

that a certificate is still good, well, it will actually accept it, which is a little bit weird.

The other problem with OCSP is that, as I mentioned, it's in the clear.

It's using HTTP.

Now, all the message are digitally signed, so that's not really the problem here.

But there is a privacy problem here because you will send the certificates serial number in the clear,

and someone could easily look up

...