On 2015-05-04 19:57:25 +0200, Alessandro Ghedini wrote: > On lun, mag 04, 2015 at 12:28:02 +0200, Vincent Lefevre wrote: > > OK, if I understand, it just supports OCSP stapling, not plain OCSP. > > So, why not using plain OCSP if no OCSP stapling information is > > received? > > Plain OCSP has several problems
This is FUD. The possible problems are very minor compared to other problems, in particular compared to the potential security probems. > (increased latency, Only for the first request to the server. So, in average, I doubt that this is noticeable. Adverts and images on web sites are much worse. > privacy concerns, Well, at worse, the OCSP responder just gets the domain and the IP of the user, right? There are similar privacy concerns with the DNS, and even worse with the ISP (which can get much more information on the user). And with Google and Facebook too. This doesn't prevent users from using them. Note: the importance of privacy concerns depend on the web site. But the web sites for which this is really important probably already provide OCSP stapling information, or the user can complain at them. > and general unreliability) Very rare. I've been using security.OCSP.require = true with Firefox for one year now, and the only problems I could see were: 1. A failure with some OCSP server for a couple of hours (failures with common websites occur much more often). 2. The problem with captive portals, but the user should be able to deactivate OCSP easily for such cases; so, that's basically a UI problem at most. Note that for curl and other non-browser clients, having plain OCSP is an advantage: instead of getting wrong contents, the user would get an error. 3. Plain OCSP fails when there are many requests at the same time (this could happen in the past when starting Firefox with 50 tabs in the saved session). But this isn't much different from a failure with the website itself one would get if plain OCSP were not used. > so there's little chance it will be implemented, let alone enabled > by default. If curl were built against GnuTLS, it would have it automatically (like lynx and wget). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
