On Wed, Nov 6, 2013 at 7:36 PM, Alex Xu <alex_y...@yahoo.ca> wrote: > On 06/11/13 08:00 PM, Michael Orlitzky wrote: >> On 11/06/2013 02:11 PM, Thomas D. wrote: >> >>> This is going OT but I cannot leave this statement uncommented, >>> because from my knowledge this is wrong/you are hiding important >>> information everyone should know about: >> >> I figure everyone here is smart enough to google "OCSP" before >> unchecking the box. This isn't the place to argue that the CA system >> is broken, but I will respond to a few points. > > I figure everyone here is smart enough not to spread knowingly-incorrect > propaganda.
>>> Regarding your privacy concerns: No, your OCSP-enabled browser >>> won't share the address (URL) with the OCSP responder. Your browser >>> will use the site's certificate serial number to ask the OCSP >>> responder if the certificate is still valid. Yes, the company who >>> is running the OCSP responder is able to log "You [IP, UA...] >>> requested status for certificates with the serial number 0x1, 0x2, >>> 0x3" and because the OCSP responder needs some basic knowledge >>> about the certificates it should provide answers for, the operator >>> may know that the certificate with the serial number 0x1 has the >>> Common Name (CN) "www.mysecretsite.invalid" and 0x2 was issued for >>> "www.mydarksecrets.invalid" or 0x3 was for "www.facebook.com", but >>> the operator doesn't know the URL you visited. >> >> This is a long way of saying "it sends the address of every website >> you visit to a third party." > > Addresses, in the context of web browsing, are commonly understood to > mean URLs, which include protocol, name, port, and path. > > OCSP only sends the "name" portion. Thus, the statement was a long way > of saying "you are wrong.". A bit of additional consideration: Given the above statement and RFC 2560, OCSP sends the certificate serial, not the name. With the availability of "Wildcard" certificates and the subjectAltName parameter, with many certificates that serial will not let the CA actually know which domain you are visiting.
