Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ocsp and crl blocklist #470

Closed
it-can opened this issue Nov 13, 2020 · 20 comments
Closed

Add ocsp and crl blocklist #470

it-can opened this issue Nov 13, 2020 · 20 comments

Comments

@it-can
Copy link

it-can commented Nov 13, 2020

I think these blocklists (ocsp and crl) need to be added to nextdns.

https://github.com/ScottHelme/revocation-endpoints

Some background info:

https://scotthelme.co.uk/revocation-checking-is-pointless/

https://sneak.berlin/20201112/your-computer-isnt-yours/
@beerisgood
Copy link
Contributor

Same nonsense as #468

OCSP isn't spying. It's for secure connections

@it-can
Copy link
Author

it-can commented Nov 13, 2020

Same nonsense as #468

OCSP isn't spying. It's for secure connections

Would be nice to have an opt-in in nextdns I think.

@beerisgood
Copy link
Contributor

Would be nice to have an opt-in in nextdns I think.

Why? If you think you need to block this and reduce your security, add the domain(s) to your blacklist.

@it-can
Copy link
Author

it-can commented Nov 13, 2020

Would be nice to have an opt-in in nextdns I think.

Why? If you think you need to block this and reduce your security, add the domain(s) to your blacklist.

Read scott his blog...

@beerisgood
Copy link
Contributor

Read scott his blog...

Read the comments on his blog, e.g.:

I understand the weaknesses in validation, but the assertion that validation (crl or ocsp)is pointless doesn't hold water.
Disabling validation through DNS or client-side settings is a self-imposed vulnerability, and says nothing about the underlying validation mechanism. It's akin to disabling your home security system and claiming that alarms/cameras/motion detectors are pointless.

https://scotthelme.co.uk/revocation-checking-is-pointless/#comment-4834056007

So the guy post a blog about his research but he doesn't understand what he do.

You can read about both feature:
https://en.wikipedia.org/wiki/Certificate_revocation_list
https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

@m-p-3
Copy link

m-p-3 commented Nov 14, 2020

Same nonsense as #468

OCSP isn't spying. It's for secure connections

Which ironically isn't encrypted. So whoever sniffing traffic can see what you're doing.
Date, Time, Computer, ISP, City, State, Application Hash

Just compile a comprehensive list of hashes, and you know which app someone is launching over the network, it's a builtin backdoor!

@beerisgood
Copy link
Contributor

Just compile a comprehensive list of hashes, and you know which app someone is launching over the network, it's a builtin backdoor!

Made my day.

@crssi
Copy link

crssi commented Nov 15, 2020

I felt not being confident (and still do) in my inner judgement, and after reading Thorin-Oakenpants response I could see that @it-can and @JJayet proposition might not be pointless, worth considering and giving end users choice.

@beerisgood
Copy link
Contributor

Some people obviously don't understand the purpose or mechanism of the Online Certificate Status Protocol (OCSP).

A report wrote, macOS sends an "application hash" each time you run the app. This "hash" is the encoded, already-known certificate that is sent to the OCSP server for the validity check.

The same happens when you go to a website that supports OCSP and use Firefox …

Read more at https://blog.jacopo.io/en/post/apple-ocsp/

@crssi
Copy link

crssi commented Nov 15, 2020
edited
Loading

@beerisgood I understand what you are trying to say but, thinking more and more here (lol... me thinking??? 😄), is waging between security and privacy.
You are talking about security and OP is talking about privacy and both of you are right... it just depends what means more to the user on the end.
So to meet in the middle, it would be nice for the end user to have a choice.

And, I am sure you two would meet somewhere in the middle in bar with unlimited quantities of beer for dispose. 😄
Wouldn't you agree more? 😉

Here is the topic is have asked Thorin and BigE for opinion: https://github.com/arkenfox/user.js/issues/1063
Refering to https://github.com/arkenfox/user.js/blob/ccbca41e2d73fa63908fd87c2a7d35615016e7f7/user.js#L675-L681

Cheers

@Mikaela Mikaela mentioned this issue Nov 15, 2020
Closed
@beerisgood
Copy link
Contributor

Security should always be preferred but of course I'm fine if a option exist to block such stuff for increased privacy.

@Mikaela
Copy link

Mikaela commented Nov 15, 2020

I hope option for OCSP blocking would be opt-in rather than opt-out (#470 (comment)) as blocking OCSP by default would stop the aforementioned Arkenfox user.js using (arkenfox/user.js#1063 (comment)) and other OCSP hard-failing browsers from working.

@m-p-3
Copy link

m-p-3 commented Nov 16, 2020
edited
Loading

@beerisgood

Read more at https://blog.jacopo.io/en/post/apple-ocsp/
No, macOS does not send Apple a hash of your apps each time you run them.

Thanks, looks like I misunderstood what was said from the initial articles. Consider me correctly educated on the matter then :)

@crssi
Copy link

crssi commented Nov 18, 2020
edited
Loading

Tested the OCSP and CRL blocking now for 24 hours.
Obviously OSCP has to be disabled or soft failing in browsers for this to work... but will never know the results applications and IoT's specifically.

Block CRLs and stuff will start to break.
Yesterday evening the kid complained that login to EPIC is failing... guess what was the reason?
Today the kid couldn't connect to Teams for remote schooling (due to Corona sh*t)... guess what was the reason?

For now, blocking OCSP if fine and blocking CRL is a BIG NO NO.

Will update for OCSP if I find something new.

Cheers

UPDATE:
If OCSP is not forced by the applications, which normally are not, then blocking it breaks nothing. Blocking CRL on the other hand brings a lot of breakages.

It would be nice if we can get https://github.com/ScottHelme/revocation-endpoints/blob/master/ocsp.txt into blocklist NextDNS option.

@romaincointepas
Copy link
Member

romaincointepas commented Nov 27, 2020
edited
Loading

Aside from ocsp.apple.com (when launching apps on macOS, see recent outrage), major browsers don't really use that anymore and don't send your entire browsing history to some remote servers (as this was implied in some blog posts we read).

@crssi
Copy link

crssi commented Nov 27, 2020

We don't have only browsers on our networks. 😉
Is there any other reason for you to refuse adding this list (OCSP) to the collection for user to decide?
If it is not a trouble, please, add it.

Thank you and cheers

@beerisgood
Copy link
Contributor

beerisgood commented Nov 27, 2020
edited
Loading

Apple has responded to the nonsense:

@crssi
Copy link

crssi commented Nov 27, 2020

@beerisgood
After Apple is bypassing firewalls and vpn apps and exposing your public ip fiasco, my trust to the Apple is shattered even more. 😢

They can do that sh*t and its a "low hanging fruit".

@beerisgood
Copy link
Contributor

@beerisgood
After Apple is bypassing firewalls and vpn apps and exposing your public ip fiasco, my trust to the Apple is shattered even more. 😢

They can do that sh*t and its a "low hanging fruit".

that is also wrong. Read
https://www.reddit.com/r/privacy/comments/k07yan/macos_big_sur_does_not_bypass_vpns/

@crssi
Copy link

crssi commented Nov 27, 2020

Oh... my bad and apologies. Thank you @beerisgood, appreciated. 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@it-can @romaincointepas @Mikaela @m-p-3 @beerisgood @crssi