From elise.toradin at web.de  Tue Aug 23 16:01:22 2022
From: elise.toradin at web.de (elise.toradin at web.de)
Date: Tue, 23 Aug 2022 18:01:22 +0200
Subject: [tbb-dev] Data Leak: Disable old,
 unencrypted OCSP verification in TBB.
Message-ID: <trinity-11e02af0-1323-4375-a208-841076f789b8-1661270482036@3c-app-webde-bs19>

An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20220823/a9a9d27e/attachment.htm>

From pospeselr at riseup.net  Tue Aug 23 16:18:46 2022
From: pospeselr at riseup.net (Richard Pospesel)
Date: Tue, 23 Aug 2022 16:18:46 +0000
Subject: [tbb-dev] Data Leak: Disable old,
 unencrypted OCSP verification in TBB.
In-Reply-To: <trinity-11e02af0-1323-4375-a208-841076f789b8-1661270482036@3c-app-webde-bs19>
References: <trinity-11e02af0-1323-4375-a208-841076f789b8-1661270482036@3c-app-webde-bs19>
Message-ID: <2d4f474a-a56c-3de8-b8fd-83bee83acb98@riseup.net>

opened https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41115

On 8/23/22 16:01, elise.toradin at web.de wrote:
> Hi, sadly I noticed that OCSP (security.OCSP.enabled) is still enabled in the latest TBB, I hope you 
> are all aware that this data is sent unencrypted and can be used by CA's to track users.
> OCSP Stapling has been a common feature of web servers since 2017, so I suppose we should rely on 
> that instead?
> Firefox is configured to use OCSP Stabling by default, but I still see an unencrypted OCSP 
> connection for every https:// connection.
> security.ssl.enable_ocsp_stapling 	= true
> security.ssl.enable_ocsp_must_staple 	= true
> 
>  ?security.OCSP.enabled = 0
> Best Regards,
> Elise
> 
> _______________________________________________
> tbb-dev mailing list
> tbb-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xDE47360363F34B2C.asc
Type: application/pgp-keys
Size: 5560 bytes
Desc: OpenPGP public key
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20220823/c67d5a18/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20220823/c67d5a18/attachment.sig>

From elise.toradin at web.de  Tue Aug 23 16:45:14 2022
From: elise.toradin at web.de (elise.toradin at web.de)
Date: Tue, 23 Aug 2022 18:45:14 +0200
Subject: [tbb-dev] Data Leak: Disable old,
 unencrypted OCSP verification in TBB.
In-Reply-To: <2d4f474a-a56c-3de8-b8fd-83bee83acb98@riseup.net>
References: <trinity-11e02af0-1323-4375-a208-841076f789b8-1661270482036@3c-app-webde-bs19>
 <2d4f474a-a56c-3de8-b8fd-83bee83acb98@riseup.net>
Message-ID: <trinity-6651e03b-9053-4afd-839c-08a8e02b2fb1-1661273114807@3c-app-webde-bs19>

An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20220823/b147bd51/attachment.htm>

From pospeselr at riseup.net  Tue Aug 23 16:47:10 2022
From: pospeselr at riseup.net (Richard Pospesel)
Date: Tue, 23 Aug 2022 16:47:10 +0000
Subject: [tbb-dev] Data Leak: Disable old,
 unencrypted OCSP verification in TBB.
In-Reply-To: <trinity-6651e03b-9053-4afd-839c-08a8e02b2fb1-1661273114807@3c-app-webde-bs19>
References: <trinity-11e02af0-1323-4375-a208-841076f789b8-1661270482036@3c-app-webde-bs19>
 <2d4f474a-a56c-3de8-b8fd-83bee83acb98@riseup.net>
 <trinity-6651e03b-9053-4afd-839c-08a8e02b2fb1-1661273114807@3c-app-webde-bs19>
Message-ID: <fe82175b-6d83-3fd5-55e0-b5261629130c@riseup.net>

Done :)

On 8/23/22 16:45, elise.toradin at web.de wrote:
> Can you please fix the following typo in the ticket:
> "..use OCSP Stabling by default.."
> which you copied from me.
> Sorry, but I am kind of a perfectionist, my thoughts kind of don't have an off button.
> Regards,
> Elise
> *Gesendet:*?Dienstag, 23. August 2022 um 16:18 Uhr
> *Von:*?"Richard Pospesel" <pospeselr at riseup.net>
> *An:*?tbb-dev at lists.torproject.org
> *Betreff:*?Re: [tbb-dev] Data Leak: Disable old, unencrypted OCSP verification in TBB.
> opened https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41115 
> <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41115>
> 
> On 8/23/22 16:01, elise.toradin at web.de wrote:
>  > Hi, sadly I noticed that OCSP (security.OCSP.enabled) is still enabled in the latest TBB, I hope you
>  > are all aware that this data is sent unencrypted and can be used by CA's to track users.
>  > OCSP Stapling has been a common feature of web servers since 2017, so I suppose we should rely on
>  > that instead?
>  > Firefox is configured to use OCSP Stabling by default, but I still see an unencrypted OCSP
>  > connection for every https:// connection.
>  > security.ssl.enable_ocsp_stapling = true
>  > security.ssl.enable_ocsp_must_staple = true
>  >
>  > ?security.OCSP.enabled = 0
>  > Best Regards,
>  > Elise
>  >
>  > _______________________________________________
>  > tbb-dev mailing list
>  > tbb-dev at lists.torproject.org
>  > https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev 
> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev>
> _______________________________________________
> tbb-dev mailing list
> tbb-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev 
> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xDE47360363F34B2C.asc
Type: application/pgp-keys
Size: 5560 bytes
Desc: OpenPGP public key
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20220823/9914bd9f/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20220823/9914bd9f/attachment-0001.sig>