OCSP SSL certificate check. Need easy way to turn it on/off.
-
Firefox has a setting that I needed to shut off to use firefox in my company.
Vivaldi doesn't seem to have a setting.But if I create a key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Vivaldi
and a REG_DWORD value under that named
EnableOnlineRevocationChecks
with a value of 0then I can get to SSL websites.
-
@DanielW0830 If OCSP reports revocation of a certificate for a site then that site !!CANNOT BE TRUSTED!!
You should report the issue to the web site admin, and wait for them to fix the problem by installing a valid certificate.
Possible reasons for revocation include that the private key has been stolen.
Another group of reasons include bad issuance, including for example being provided to a site that should not have such a cert. There have been several cases of extremely wide wild card certificate being issued that could pretend to be any site on the web.
Then you have the really bad one: Compromise of the CA, like what happened in the case of DigiNotar, when (suspected) nation state sponsored attackers managed to control the (badly designed and secured) issuance systems at DigiNotar (that CA shut down within days of detection of the attack).
And further you have CAs discovering that certain certificates have been misissued and retract them; the most recent case I am aware of is Digicert having to retract thousands of certificates a month ago due to errors when validating the requester's domain, and I have myself encountered a very public site (a wifi access page) whose certificate had not been replaced, and wasn't for 3 weeks, despite several nags from me (excuse used: vacation time).
-
@yngve My company has a man in the middle security feature.
they connect to destination SSL site, capture their certificate, then re-encrypt the data with their own certificate.
This way they can sniff ALL the SSL data going in and out of the company.Here's the SSL from the site I am replying on right now:
(You can see why it says revoked)Issued To:
Common Name (CN) vivaldi.net
Organization (O) <Not Part Of Certificate>
Organizational Unit (OU) <Not Part Of Certificate>Issued By:
Common Name (CN) *** MY COMPANY NAME ***
Organization (O) *** MY COMPANY NAME Incorporated
Organizational Unit (OU) IT Shared ServicesValidity Period:
Issued On Saturday, July 20, 2024 at 8:40:55 PM
Expires On Friday, October 18, 2024 at 8:40:54 PMIf anyone has a better solution to have vivaldi remain secure but function in this environment let me know.
For all I know, the IT system is doing the validation for me. -
@DanielW0830 OCSP uses a URL specified in the certificate, in this case it would be your system administrators that create the certificate and (possibly) insert a OCSP URL there. If that URL isn't there , there will be no OCSP check (same for CRL)
If that certificate is revoked, it is your sysadmin that has been doing the revoking, not Vivaldi's CA
If the certificate do contain the original OCSP URL, yes, then you would get back a "Bad Request, unknown certificate, treat as revoked", but that is, again, your sysadmin's responsibility, since they (apparently) copy too much data from the original certificate. (Alternatively, they are inserting their own OCSP URL that respond with bad responses; again, that is their problem, they should fix it.)
Oh, and BTW, using this kind of interception system, you may not be able to use Google sites (unless the Chromium team have changed policy since the DigiNotar, they will verify that the certificate was issued by Google's own CA (that is how the DigiNotar incident was discovered; the attackers tried to intercept Google requests, which triggered a very bad error message and subsequent reports to Google).
