Privacy Fail
by adam on Nov.20, 2008, under computers, networking, security, website
After the recent Apple update, which included ‘security fixes’ for Safari, Little Snitch popped up a warning message when I attempted to visit my banks website. A process called ocspd wanted to visit “EVSecure-ocsp.verisign.com”. Needless to say, I was instantly curious as to what in the world ocspd was, and why it was trying to talk to Verisign when I was visiting my banks webpage.
It turns out, ocspd is part of Apples new ‘safe surfing’ update to Safari. Online Certificate Status Protocol (OCSP) is the functional replacement for the old school PKI Certificate Revocation List (CRL). It allows the Certificate Authority (CA) (in this case, Verisign) who signed the websites certificate, to authenticate the presented certificate in real time. This is a much more ‘elegant’ solution than the old, crummy CRL, which had to be manually updated (or pushed down with OS patches, etc) and did not allow certificates to be rejected in anywhere near realtime if they were deemed fradulent.
Despite being a more elegant solution, it also creates a number of new problems.
First, it places a big new load CAs, who went from being trusted certificate issuers to being real time certificate verifiers.
Secondly (and more importantly), it seriously breaches the privacy of every user using the service.
By requesting verification of every SSL certificate, the signing CAs now receive notification (and potentially tracking identification) every[1] time someone browses to a site utilizing an SSL certificate signed by that CA. If that’s not bad enough, at least for Verisign, the server name is POSTed via plaintext HTTP! Your formerly encrypted, secure connection to the remote server is now compromised by a plaintext referral to a 3rd party, who also gets to track your visits.
The entire contents of the SSL session isn’t posted, only the name of the site you attempting to access, but even that would have normally been encrypted, and most definitely not available to 3rd parties.
So, Safari, by default, will now violate it’s users privacy in an attempt to prevent stupid users from mistaking an SSL certificate for being invalid.
Luckily, Firefox 3 (all versions of FF support OCSP, v3 turns it on by default), Opera and IE7 (only on Vista) do the exact same thing! With IE and Firefox, however, the ocsp provider is apparently in-process to the browser, so it didn’t flag on firewalls and app monitors like Little Snitch.
On FF3 and Safari, it is simple enough to disable – in ‘Security Settings’, simply uncheck the ‘Safe Surfing’ or ‘Fraudulent Site’ protection buttons. I don’t have Vista or Opera, so I don’t know if it can be disabled there or not.
The protocol doesn’t appear to allow cookies or specific tracking tokens to be exchanges, but IP addresses and the like most definitely are exposed. I have to wonder what the privacy policy of the CAs is on information like this – there is definitely monetary value in knowing which IPs are hitting which encrypted sites. I can’t find (after a bit of googling) any real reference to privacy policies or other tracking information policy on the part of any CA.
[1] Technically, ocspd supports session ‘stapling‘, allowing the server serving the credentials that are being verified to cache a short-duration ‘stamp’ from the ocsp responder at the CA, and providing them as a cached object during TLS session negotiation. This definitely does not negate the need to take a better look at the privacy implications of ocsp in the first place.
11 Comments for this entry
Leave a Reply
-
Welcome to HR Geeks!
We're a group of (mostly) Hampton Roads based technology enthuisiasts. Our members take part of many different groups, from 757 Labs to TWUUG to sitting at home watching TV.
Our goal with HRGeeks.com is to be a sort of 'clearing house' of all technology related goings-on in Hampton Roads, as well as a home for collaboration and discussion between area geeks.
Check out our our Friends for a full listing of available technology groups in Hampton Roads.
-
Email / iCal Subscriptions
Stay updated on meetings and activities via email or iCal!
February 24th, 2009 on 6:58 am
So…?
Should we allow it or not?
February 24th, 2009 on 8:06 am
Depends on what is important to you – EV SSL certificates can’t be verified without it.
It’s the age old problem of trading security for privacy.
March 3rd, 2009 on 4:31 pm
I ended up here also after asking myself what exactly ocspd was and what it was doing…
Like you say, it’s a choice between security and privacy…
May 11th, 2009 on 2:18 pm
sounds like the better choice is just not to use safari. then again, why would you, unless for testing. thanks for the info!
May 13th, 2009 on 11:33 am
Thanks for the write up, I just ran into the exam same scenario. I really liked using Safari but I guess I’m going back to FF…
May 18th, 2009 on 2:42 pm
I’m seeing the LS alert at regular intervals, browser running or not. Haven’t been able to figure out what is requesting certificate verification on a such a regular bases, but I don’t like (not knowing) it.
Also, I rarely use Safari, Camino being my default browser.
May 29th, 2009 on 11:35 am
what do you mean by “security”? Isn’t privacy going to be more important and aren’t most of the sites out there having the same security issues? I use Noscript to try to protect my security and I am glad to know that my privacy was being violated. Unless I know of some other reason to allow it, I think I’ll set little snitch to deny this.
June 15th, 2009 on 11:41 pm
COMMENTS PLEASE:I think this should be done but I am open to your comments:
Leave the “safe browsing, alert for fraudulent websites” on. Say no to it when it pops up in Little Snitch for sites you wish to remain private: peer to peer sites etc…
If you are going to a banking site you then will have it on for “security”
I presume OCSP does not compromise your secure online banking processes. (your thoughts)
June 19th, 2009 on 6:44 pm
Well, that doesn’t ‘do’ much for you, as the entire point of OCSP is to validate the certificates you encounter when hitting SSL enabled sites.
If you just deny the connection each time, you can’t validate the cert.
I’d probably be ok with a published privacy policy dictating that the information disclosed via OCSP would never be used for any purpose beyond validation of a certificate in question.
November 30th, 2009 on 9:47 am
Camino also ends up with ocspd asking to connect to verisign. Probably because it’s built off of Modzilla FF and/or Safari?
I set to deny on Little Snitch as well after reading the page (looking for what ocspd was). I’ll probably switch it when I have to go to my bank site or something secure I suppose.
February 6th, 2010 on 11:57 am
Thanks to LittleSnitch for warning us of that kind of “undercover” connections.
Thanks a bunch to you for googling that issue for us, and bringing the answer to the community.
Back to LittleSnitch now and deny forever these certificate requests…