LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SSL man-in-the-middle attacks

SSL man-in-the-middle attacks

Posted Dec 27, 2008 17:45 UTC (Sat) by hmh (subscriber, #3838)
In reply to: SSL man-in-the-middle attacks by james-mathiesen
Parent article: SSL man-in-the-middle attacks

It depends.

The entire revocation list is downloaded and stored for further reference.

The URL to the revocation list is not in the certificate, but in the issuer certificate from the CA, so the information leak is very limited on a normal certificate from a normal CA.

(Log in to post comments)

SSL man-in-the-middle attacks

Posted Dec 27, 2008 19:35 UTC (Sat) by hmh (subscriber, #3838) [Link]

Never mind. This is incorrect. Yes, you disclose information, OCSP wants to be lightweight, so you tell the server just the certificates you're interested in.

That teaches me to re-check my facts before posting...

SSL man-in-the-middle attacks

Posted Dec 28, 2008 2:00 UTC (Sun) by james-mathiesen (subscriber, #50470) [Link]

Thanks for checking. I was hoping I had missed something. :(

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds