opened https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41115
On 8/23/22 16:01, elise.toradin@web.de wrote:
Hi, sadly I noticed that OCSP (security.OCSP.enabled) is still enabled in the latest TBB, I hope you are all aware that this data is sent unencrypted and can be used by CA's to track users. OCSP Stapling has been a common feature of web servers since 2017, so I suppose we should rely on that instead? Firefox is configured to use OCSP Stabling by default, but I still see an unencrypted OCSP connection for every https:// connection. security.ssl.enable_ocsp_stapling = true security.ssl.enable_ocsp_must_staple = true
security.OCSP.enabled = 0 Best Regards, Elise
tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
Done :)
On 8/23/22 16:45, elise.toradin@web.de wrote:
Can you please fix the following typo in the ticket: "..use OCSP Stabling by default.." which you copied from me. Sorry, but I am kind of a perfectionist, my thoughts kind of don't have an off button. Regards, Elise *Gesendet:* Dienstag, 23. August 2022 um 16:18 Uhr *Von:* "Richard Pospesel" pospeselr@riseup.net *An:* tbb-dev@lists.torproject.org *Betreff:* Re: [tbb-dev] Data Leak: Disable old, unencrypted OCSP verification in TBB. opened https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41115 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41115
On 8/23/22 16:01, elise.toradin@web.de wrote:
Hi, sadly I noticed that OCSP (security.OCSP.enabled) is still enabled in the latest TBB, I hope you are all aware that this data is sent unencrypted and can be used by CA's to track users. OCSP Stapling has been a common feature of web servers since 2017, so I suppose we should rely on that instead? Firefox is configured to use OCSP Stabling by default, but I still see an unencrypted OCSP connection for every https:// connection. security.ssl.enable_ocsp_stapling = true security.ssl.enable_ocsp_must_staple = true
security.OCSP.enabled = 0 Best Regards, Elise
tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev _______________________________________________ tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev