security.ocsp.require - Why isn't this enabled by default?

Been reviewing some problems with OCSP revocation, like:

https://www.grc.com/revocation.htm
https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/

>From that and other articles, they mentioned there were 2 settings in
Firefox's config UI (the internal tab page):

Use the OCSP server to confirm the current validity of certificates
When an OCSP server connection fails, treat the certficate as invalid.

The first option is there in Firefox (Options -> Advanced ->
Certificates).  The second, if it was there before, is not there now.
It looks like users must delve into about:config and change
security.ocsp.require from its default of False to True.  Firefox 52.0.2
still hase security.ocsp.require is set to False.  That means Firefox
will not enforce validation of the cert.

If the server cannot be reached or is too busy to respond, the web
browser might decide to stop waiting and proceed using the site cert and
pretend to the user that the cert is okay.  I'd rather know if a cert
was revoked, expired, or incapable of getting validated at the OCSP
server.  All those statuses mean the cert cannot be trusted.

Yes, OCSP servers can get swamped with requests which results in
timeouts or lack of connections by clients but that doesn't mean that I
want to proceed with an non-validated cert.  In that case, there would
be no difference in using HTTP or HTTPS to connect to the site.  Well,
the traffic would still be encrypted but identity is another purpose of
certificates.  I'd rather have Firefox tell me it could not validate to
the OCSP server (no connection, no response if it did connect) and let
me choose what to do about the connection to the supposedly secure site.

I've set security.ocsp.require to True.  I've yet to hit a site where
its CA's OCSP would not respond but I'm still testing.  The option's
description is to have Firefox terminate the connection if the OCSP does
not respond (no connect, too busy).  Hopefully that means the user gets
a prompt asking if they want to continue or abort the connection; else,
users would end up visiting sites, get disconnected when OCSP did not
respond, and not know why Firefox refused the connection.
0
VanguardLH
4/17/2017 3:18:49 AM
mozilla.support.firefox 23609 articles. 5 followers. Post Follow

2 Replies
13 Views

Similar Articles

[PageSpeed] 41

VanguardLH <V@nguard.LH> Wrote in message:
> <long snip>
> 
> I've set security.ocsp.require to True.  I've yet to hit a site where
> its CA's OCSP would not respond but I'm still testing.  The option's
> description is to have Firefox terminate the connection if the OCSP does
> not respond (no connect, too busy).  Hopefully that means the user gets
> a prompt asking if they want to continue or abort the connection; else,
> users would end up visiting sites, get disconnected when OCSP did not
> respond, and not know why Firefox refused the connection.
> 
It'll probably work for you from what this guy says:
< https://bugzilla.mozilla.org/show_bug.cgi?id=1183405>

Several references in bugzilla to this pref. 
-- 
(Remove any numerics from my email address.)
0
Dave
4/18/2017 6:35:53 AM
VanguardLH wrote:
> Been reviewing some problems with OCSP revocation, like:
> 
> https://www.grc.com/revocation.htm
> https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/

I think this OCSP stapling makes the other OCSP check unnecessary.

Maybe most sites are using stapling now, so OCSP isn't worth the
overheads, like performance, false positives etc.
0
Richmond
4/18/2017 7:04:34 AM
Reply: