Re: what is the “Online Certificate Status Protocol”

[Steven Bellovin <smb%cs.columbia.edu@localhost>]

On Mar 9, 2011, at 4:30 36AM, erikmccaskey64 wrote:

> I use privoxy. In the user.action file i have a redirect rule and a few 
> websites: 
> 
> 
> { +redirect{s@http://@https://@} }
> .twitter.com
> .facebook.com
> 
> 
> Ok! it's working great, e.g.: if i visit any "*twitter.com" URL it gets 
> redirected to HTTPS!
> 
> 
> But: with wireshark i can see some "OCSP" packets [ 
> http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ]
> 
> 
> Question: What are these packets? Why aren't there in HTTPS?
> 
> 
> Is my redirection method with privoxy is secure?
> 
> 
> Thank you for any tips/opinions!
> 

OCSP is trying to solve the problem of knowing when a certificate has 
expired.  The older way to do that is the CRL -- Certificate Revocation
List -- which is a file you're supposed to download periodically.  It
may be out of date, but it's usable when you're offline, and the
certificate is supposed to tell you where to get one and how often it's
supposed to be refreshed.  (Aside: I'm not 100% certain if the refresh
time is in the cert or in the CRL.)

OCSP is the answer: it asks the Certificate Authority in real-time if
the cert has been revoked.  Of course, it requires that both you and the
CA be online; these days, that's a lot easier to assume.

So -- why is privoxy issuing OCSP requests?  Probably because the
programmer wrote some extra code to ensure that the certificate for
the site you're going to is still valid.  In other words, it's more
protection, not less.

                --Steve Bellovin, http://www.cs.columbia.edu/~smb