Skip to content

2019 178: sites with EV HTTPS certificates leak information via OCSP

Mike Tigas edited this page Jun 15, 2019 · 1 revision

tl;dr: When visiting a site with an EV ("green bar") TLS certificate in Onion Browser, iOS will leak information (TLS certificate serial number) over a non-Tor connection that can be used to reveal the domain name of the site.

Our current understanding of the details of this issue and summary of facts can be read below.

This is tracked in issue 178, and ongoing discussion about this issue will take place there.


OCSP background

OCSP is a way for a browser to check if a TLS certificate has not been revoked by the issuer. A revocation can mean that the TLS certificate was compromised and that an attacker may have the ability to pose as the real server or decrypt traffic. OCSP is a defense against certain attacks like this.

The OCSP request does not contain any user session data, nor does it actually contain the domain name of the server. However, it contains the "serial number" of the site's certificate; the OCSP provider, a certificate authority (CA) trusted by the browser, responds with a signed response; the browser then checks the response against the known public key of that CA.

Although the request does not contain the domain name for a certificate, most certificate authorities now participate in Certificate Transparency (CT), which provides a public, auditable log of TLS certificates (to protect against a rogue CA issuing a certificate for a domain without permission). Serial numbers are part of this information, and therefore a domain can be reversed out. For example, the serial 0135cce659c8cb909d9e091cf619a2b6 is the DigiCert-issued TLS certificate for the New York Times onion site: https://crt.sh/?serial=0135cce659c8cb909d9e091cf619a2b6

Additionally, anybody who has seen the certificate (i.e., has been to the site before) will probably also know that the serial and the domain name correlate.

OCSP in iOS

For UIWebView (the browser engine that Onion Browser uses), iOS performs an OCSP check for EV "green bar" HTTPS certificates only (old link, but all current testing agrees with the points there). There is no way to disable OCSP checking, nor is there any way to modify this behavior either inside the settings, or inside the programming of an app.

Unfortunately, like media files and some types of data, OCSP requests are actually performed by iOS itself and are not in the app's UIWebView or in any part of the system that the app has control over.

The OCSP leak in Onion Browser

Because of this, the method that Onion Browser reconfigures the app (& it's UIWebView) for Tor does not work for OCSP requests, and these requests are sent over the "clear net".

The endpoint OCSP provider that iOS attempts to talk to depends on the certificate itself. Many are served via HTTP (possibly to avoid cyclical dependency if an HTTPS OCSP endpoint needed to validate itself).

(Note: As of now (June 2019), for .onion domains, valid HTTPS certificates issued by the standard certificate authorities must be EV certs. This is so that any valid certificate for an .onion domain also requires full validation of the organization hosting the service in addition to proof that the organization controls the domain in question. For example, the onion services for Facebook, ProPublica, the New York Times, and etc, all use certificates that fall under this category.)


In summary:

  • in iOS, OCSP checks cannot be disabled or reconfigured. they cannot be routed via Tor using the current methods employed in Onion Browser.
  • iOS only checks OCSP for EV "green bar" certificates.
  • if you visit a site with an EV certificate:
    • an adversary with access to your (non-Tor) network traffic may be able to see the certificate's serial number (if the CA uses HTTP-based OCSP)
    • the CA (or an adversary at the OCSP server endpoint) will be able to see the certificate's serial number
  • knowledge of the serial number can reveal the domain name(s) associated with the certificate

tl;dr: When visiting a site with an EV ("green bar") TLS certificate in Onion Browser, iOS will leak information (TLS certificate serial number) over a non-Tor connection that can be used to reveal the domain name of the site.

You can’t perform that action at this time.