Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I should note that blocking OCSP requests will not cause revoked.grc.com to function.

The server is using OCSP stapling, which means the OCSP certificate is being sent directly by the https server, an attack would obviously not be sending an OCSP response indicating the certificate was revoked....



Why does OCSP stapling even exist?


Because querying the OCSP servers directly results in a crazy amount of traffic.

Implemented in the most paranoid manner possible every https request would result in an OCSP request.

That would be millions of requests per second for a large CA.

They have effectively no financial interest in actually supporting that.


More importantly, it removes the privacy leak from client to CA, since the client is no longer speaking to the CA directly (it just has to look at the signature).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: