« Are you using lack of firewall support as an excuse to avoid IPv6? | Main | My dog ate god's plan »

Friday, 01 April 2011

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

via Twitter, Christopher Soghoian
(RT by ioerror)

"Each time your browser validates a SSL cert via OCSP protocol, it queries the Cert Authority. If logged, the CA knows where you are surfing."

Be warned that enabling this setting reduced my App Store app to a crawl.


------------------------- NOTE -----------------


There's a discussion thread about this problem.

http://discussions.apple.com/thread.jspa?messageID=13327545

From the thread:

"Switching off certificate checks did solve the problem. However the discussion in that thread suggests that this fix subverts security."

Folks may also want to check out the 'Perspectives' extension for Firefox (CA mismatch detection)

http://www.networknotary.org/firefox.html

as well as recent initiatives by Google such as their 'Cert Catalog' (not meant to be a replacement for OCSP/CRL)

http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html

Lots of work ahead to improve PKI infrastructure. In the meantime we don our tfh's.

When I enable this option in Keychain Access, App Store becomes unusably slow. Every page change takes 10 or more seconds. Is that "normal" or is it just happening to me?

@tempelorg

------------------------- NOTE -----------------


There's a discussion thread about this problem.

http://discussions.apple.com/thread.jspa?messageID=13327545

From the thread:

"Switching off certificate checks did solve the problem. However the discussion in that thread suggests that this fix subverts security."

Hi Dave Z,

I downloaded Opera to confirm this. It seems that Opera uses the certificate validation settings as set in the Certificates pane of Keychain access. I gathered this from Help-> search -> "certificate revocation" returns "Changing the validation settings for certificates". I didn't see any explicit method to modify certificate validation in an Opera preference. Is this what you meant in your comment?

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook
My Photo