LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SSL man-in-the-middle attacks

SSL man-in-the-middle attacks

Posted Dec 26, 2008 22:25 UTC (Fri) by james-mathiesen (subscriber, #50470)
Parent article: SSL man-in-the-middle attacks

hmm... does the revocation protocol leak a lot of information about online activities to 3rd parties? ip address 1.2.3.4 apparently banks at xxx, shops at amazon, etc...

(Log in to post comments)

SSL man-in-the-middle attacks

Posted Dec 27, 2008 17:45 UTC (Sat) by hmh (subscriber, #3838) [Link]

It depends.

The entire revocation list is downloaded and stored for further reference.

The URL to the revocation list is not in the certificate, but in the issuer certificate from the CA, so the information leak is very limited on a normal certificate from a normal CA.

SSL man-in-the-middle attacks

Posted Dec 27, 2008 19:35 UTC (Sat) by hmh (subscriber, #3838) [Link]

Never mind. This is incorrect. Yes, you disclose information, OCSP wants to be lightweight, so you tell the server just the certificates you're interested in.

That teaches me to re-check my facts before posting...

SSL man-in-the-middle attacks

Posted Dec 28, 2008 2:00 UTC (Sun) by james-mathiesen (subscriber, #50470) [Link]

Thanks for checking. I was hoping I had missed something. :(

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds