what is the “Online Certificate Status Protocol”

Gilles Gravier ggravier at fsfe.org
Wed Mar 9 12:23:24 UTC 2011 

Hi, Erik!

On 09/03/2011 10:30, erikmccaskey64 wrote:
> I use privoxy. In the user.action file i have a redirect rule and a
> few websites: 
>
> { +redirect{s at http://@https://@} }
> .twitter.com
> .facebook.com
>
> Ok! it's working great, e.g.: if i visit any "*twitter.com" URL it
> gets redirected to HTTPS!
>
> But: with wireshark i can see some "OCSP" packets [
> http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ]
>
> Question: What are these packets? Why aren't there in HTTPS?
>
> Is my redirection method with privoxy is secure?
>
> Thank you for any tips/opinions!

OCSP is a protocol in itself. It is used to validate that a digital
certificate hasn't been disabled, or invalidated in some way or another.

When you receive a certificate from somebody, you do several things...

1) Check that you trust the certificate chain up to the root CA
(Certification Authority) which is why you need to have all the adequate
root certificates in your system.

2) Check that the expiration date in the certificate is not past (or
else, even if the certificate is cryptographically valid, the reason why
it was attributed might be gone due to expiration date).

3) Check that, even if the certificate isn't expired, and it is in a
valide chain of trust, it hasn't been revoked (employee left the
company, secret key compromised, or any other valid reason).

To check that a certificate has been revoked or not, there are 2 means.

1) Check a CRL (Certificate Revokation List) which you download every
now and then, and compare  your certificate with what's in the list.
This is fast, can be done off-line, but CRL needs to be updated every
now and then... and you have a window of opportunity for attack if you
check between refreshes of the CRL and in the interim the certificate
has been revoked.

2) Real-time checking with the original certification authority. This is
done by using the OCSP protocol, and talking to the CA's OCSP responder,
a system that is an OCSP server, that gets a query for the validity of a
certificate and answers telling you whether it's valid (date and
revokation) or not.

This isn't embedded inside HTTP. It's a protocol of its own. Let it go
through. Or disable OCSP certificate checks in your applications (I
don't recommend it, if it's at all sensitive).

Gilles.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20110309/46847678/attachment.html>

More information about the ubuntu-users mailing list