SSL man-in-the-middle attacks

Posted Dec 26, 2008 22:25 UTC (Fri) by james-mathiesen (guest, #50470)
Parent article: SSL man-in-the-middle attacks

hmm... does the revocation protocol leak a lot of information about online activities to 3rd parties? ip address 1.2.3.4 apparently banks at xxx, shops at amazon, etc...

SSL man-in-the-middle attacks

Posted Dec 27, 2008 17:45 UTC (Sat) by hmh (subscriber, #3838) [Link] (2 responses)

It depends.

The entire revocation list is downloaded and stored for further reference.

The URL to the revocation list is not in the certificate, but in the issuer certificate from the CA, so the information leak is very limited on a normal certificate from a normal CA.

SSL man-in-the-middle attacks

Posted Dec 27, 2008 19:35 UTC (Sat) by hmh (subscriber, #3838) [Link] (1 responses)

Never mind. This is incorrect. Yes, you disclose information, OCSP wants to be lightweight, so you tell the server just the certificates you're interested in.

That teaches me to re-check my facts before posting...

SSL man-in-the-middle attacks

Posted Dec 28, 2008 2:00 UTC (Sun) by james-mathiesen (guest, #50470) [Link]

Thanks for checking. I was hoping I had missed something. :(