I want some views on this;

I pretty strongly believe that #OCSP stapling and OCSP Must Staple should be the defaults, maybe even required on the web, maybe in all #TLS communication, at least when we're talking about globally trusted CAs. The only downside I see to it is offline access to private services in your network, but that's happening only every once in a while and it's possible that the OCSP cache might be valid for longer than that actually happens, right now Firefox being...

Secure your application traffic with Application Gateway mTLS

Rajesh Nautiyal, Senior Technical Program Manager ishappy to share that Azure Application Gateway now supports mutual transport layer security (mTLS) and online certificate status protocol (OCSP). Here, he is covering what mTLS is, how it works, when to consider it, and how to verify it in Application Gateway.

read more here: https://azure.microsoft.com/de-de/blog/secure-your-application-traffic-with-application-gateway-mtls/

#Microsoft #Azure #mTLS #OCSP

#GemeenteUtrecht http://utrecht.nl http://internet.nl result: 2 red alerts :( :(, 2 warnings :(, 1 green :)
https://internet.nl/site/utrecht.nl/1846010/

Fond of services @GemeenteUtrecht@twitter.com (#kudos!!!) Pls tackle this lack of #security in Q1 2013.
#IPv6, #HSTS, #OCSP Stapling, #CSP, #RPKI

Das war ein komischer Fehler. Am Wochenende und Montag lief ein normaler ICMP traceroute auf ocsp.digicert.com durch und ein TCP traceroute auf Port 80 meldete als letztes den Edge-Router vom Provider.
Mittlerweile antwortet ocsp.digicert.com wieder auf Port 80. Es funktioniert somit wieder. Entweder bin ich auf eine Denylist gekommen, oder da wurde etwas verkonfiguriert. #OCSP #DigiCert #InternetBroken

Bin ich der einzige der gerade mit #Cloudflare #OCSP Zertifikatsprüfung Probleme hat?

$ curl --cert-status -v 'https://www.metacheles.de/'
[…]
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* No OCSP response received

$ curl --cert-status -v 'https://substack.com/'
[…]
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* No OCSP response received

Looks like some of #Digicert's #OCSP servers are sending HTML instead of OCSP responses.

Status page claims everything is ok 🤡

Zo, op een regenachtige zondagmiddag repareer je gewoon je #OCSP server van je eigen #PKI.... #Nerd

Also, if you can't find any websites, just use the #rfc6960 #OCSP to get a list of their Staging or UAT subdomains.

And now you've "beaten" #ChatControl while talking in plain text right under their noses and using their expensive infrastructure money, you don't even need #ROT13! #fnord 🤣

[3/3]

Wow, #OCSP sucks more than I realized. It protects neither the server, nor the client, but only provides protection and power to the certificate authority. Basically it makes it easier for them to revoke a certificate. So it's just yet another way for SSL certificate authorities to twist the thumb screws. No wonder it's so much of a pain to set up!

After I upgraded my MacOS version, LibreOffice wouldn't start. Now I know why. And now I think it's time I switched my MacBook Air to #Linux. #OCSP

https://www.fsf.org/news/the-problems-with-apple-arent-just-outages-they-are-injustices

#Apple updates their documentation, clarifies it is not spying on what apps you run with their #OCSP, understands the arguments and promises changes like scrubbing all IP addresses from the logs, switching to encrypted communication. Good. https://support.apple.com/en-us/HT202491

安全警告：
由于 OCSP 是明文HTTP以及macOS 强制验证 OCSP 的设计，所以ISP只需要进行简单的监听即可知晓你系统中运行着什么软件。
如果你在 macOS 系统中安装了 ShadowsocksX-NG 这种不太符合社会主义核心价值观的软件，macOS 这种设计毫无疑问给你带来了潜在的隐私泄漏风险以及人身安全风险。
https://twitter.com/quakewang/status/1327844193662746625
#macOS #OCSP #隐私与安全

#ocsp

Quel est l'intérêt de tester la signature au lancement sur les applications déjà installées?

Scénario1 : Un éditeur déclare s'être fait voler ses clés de chiffrement. On supprime ses logiciels de tous les Mac du monde ??

#ocsp

Quel est l'intérêt de tester la signature au lancement sur les applications déjà installées?

Scénario1 : Un éditeur déclare s'être fait voler ses clés de chiffrement. On supprime ses logiciels de tous les Mac du monde ??

"Even if the certificate has an OCSP staple ... Chrome always sends a blocking request to the Certificate Authority's server when connecting to a website that uses an EV certificate and this request can take hundreds of milliseconds. To make things worse, if the CA's server is down, your users see an error page instead of your website."

https://www.aaronpeters.nl/blog/ev-certificates-make-the-web-slow-and-unreliable/

#tls #pki #ocsp #security #performance

1/3 ­— Playing with #dnsdist and #OCSP #stapling with #letsencrypt certificates. The documentation lacks details about intermediate certificates, so here are the results of my tests. Everything is logical but since there are a lot of moving parts, forgetting a step is easy.

When #Thunderbird says it cannot connect to the submission server because of an « unknown #TLS error », what it really means is sometimes:

« The server certificate has the #OCSP Must-Staple extension, but the server did not provide OCSP stapling information ».

Weird thing, it could drop the connection earlier, but does it only after server and client key exchange. Hard to debug 😨

Pro tips, OCSP stapling is not supported by your MTA.