[tbb-dev] Data Leak: Disable old, unencrypted OCSP verification in TBB.
Richard Pospesel
pospeselr at riseup.net
Tue Aug 23 16:47:10 UTC 2022
Done :)
On 8/23/22 16:45, elise.toradin at web.de wrote:
> Can you please fix the following typo in the ticket:
> "..use OCSP Stabling by default.."
> which you copied from me.
> Sorry, but I am kind of a perfectionist, my thoughts kind of don't have an off button.
> Regards,
> Elise
> *Gesendet:* Dienstag, 23. August 2022 um 16:18 Uhr
> *Von:* "Richard Pospesel" <pospeselr at riseup.net>
> *An:* tbb-dev at lists.torproject.org
> *Betreff:* Re: [tbb-dev] Data Leak: Disable old, unencrypted OCSP verification in TBB.
> opened https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41115
> <https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41115>
>
> On 8/23/22 16:01, elise.toradin at web.de wrote:
> > Hi, sadly I noticed that OCSP (security.OCSP.enabled) is still enabled in the latest TBB, I hope you
> > are all aware that this data is sent unencrypted and can be used by CA's to track users.
> > OCSP Stapling has been a common feature of web servers since 2017, so I suppose we should rely on
> > that instead?
> > Firefox is configured to use OCSP Stabling by default, but I still see an unencrypted OCSP
> > connection for every https:// connection.
> > security.ssl.enable_ocsp_stapling = true
> > security.ssl.enable_ocsp_must_staple = true
> >
> > security.OCSP.enabled = 0
> > Best Regards,
> > Elise
> >
> > _______________________________________________
> > tbb-dev mailing list
> > tbb-dev at lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev>
> _______________________________________________
> tbb-dev mailing list
> tbb-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xDE47360363F34B2C.asc
Type: application/pgp-keys
Size: 5560 bytes
Desc: OpenPGP public key
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20220823/9914bd9f/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20220823/9914bd9f/attachment-0001.sig>
More information about the tbb-dev
mailing list