SSL man-in-the-middle attacks

Posted Dec 27, 2008 17:45 UTC (Sat) by hmh (subscriber, #3838)
In reply to: SSL man-in-the-middle attacks by james-mathiesen
Parent article: SSL man-in-the-middle attacks

It depends.

The entire revocation list is downloaded and stored for further reference.

The URL to the revocation list is not in the certificate, but in the issuer certificate from the CA, so the information leak is very limited on a normal certificate from a normal CA.

SSL man-in-the-middle attacks

Posted Dec 27, 2008 19:35 UTC (Sat) by hmh (subscriber, #3838) [Link] (1 responses)

Never mind. This is incorrect. Yes, you disclose information, OCSP wants to be lightweight, so you tell the server just the certificates you're interested in.

That teaches me to re-check my facts before posting...

SSL man-in-the-middle attacks

Posted Dec 28, 2008 2:00 UTC (Sun) by james-mathiesen (guest, #50470) [Link]

Thanks for checking. I was hoping I had missed something. :(