Online Certificate Status Protocol (OCSP) and Port 80

ocsp
9,494

OCSP does not have to be on port 80. However, the URL for the OCSP service is specified in the certificates whose validity you are checking; if you want to run it on another port, you need to make sure that the certificates contain the proper port specification.

The reason why OCSP can be run on HTTP 80, rather than HTTPS, is that the OCSP responses are already signed by the OCSP server. The OCSP client will validate that the signature is authorized to sign OCSP responses for the CA that has issued the certificate it's checking; any MITM would make that validation fail - so adding an extra layer of encryption/authentication does not increase security, but does add complexity and increases possible failure modes.

As pointed out in a comment, running OCSP over HTTP does have the drawback that it's potentially possible for an attacker to intercept network traffic and see what certificates you are checking. However, they are still not able to change the contents of the response.

Share:
9,494
Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin almost 2 years

    I had used OCSP stapling in AWS in the past, due to changes on AWS they no longer allow this. This has resulted in having to open a firewall rule to allow outbound HTTP traffic for OCSP from client devices.

    For us opening port 80 is not allowed across a secure network that a device sits on and some people have raised concern that sending data over HTTP in cleartext leaves it open to MiTM manipulation on route to the OCSP server.

    When I read the information about Online Certificate Status Protocol it talks of using HTTP but I cannot see where it specifically states it must be port 80.

    Anyone got experience of using OCSP and not using port 80 or had any security concerns about opening such ports to this traffic.

  • Honza
    Honza about 6 years
    OCSP responses are signed, which ensure integrity and prevent MITM, however it does not ensure privacy - anybody can see number of certificate you are checking. HTTPS can be used to ensure privacy, but it has to be defined in the certificate. (see tools.ietf.org/html/rfc6960#page-30)
  • Jenny D
    Jenny D about 6 years
    @Honza That's a good point. I'll edit the answer to include that.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OCSP server suggests trying again later
Enabling OCSP stapling on IIS SNI-enabled site
Free OCSP server for testing purposes?
OCSP validation - unable to get local issuer certificate
nginx: ssl_stapling_verify: What exactly is being verified?
OCSP responder not present?
OpenSSL: how to setup an OCSP server for checking third-party certificates?
How do I check if my SSL certificates have been revoked
OCSP Revocation on client certificate