Comments on: Privacy Fail

By: Zackatoustra

Zackatoustra — Sat, 06 Feb 2010 15:57:14 +0000

Thanks to LittleSnitch for warning us of that kind of “undercover” connections.
Thanks a bunch to you for googling that issue for us, and bringing the answer to the community.

Back to LittleSnitch now and deny forever these certificate requests…

By: JT

JT — Mon, 30 Nov 2009 13:47:21 +0000

Camino also ends up with ocspd asking to connect to verisign. Probably because it’s built off of Modzilla FF and/or Safari?

I set to deny on Little Snitch as well after reading the page (looking for what ocspd was). I’ll probably switch it when I have to go to my bank site or something secure I suppose.

By: adam

adam — Fri, 19 Jun 2009 22:44:03 +0000

Well, that doesn’t ‘do’ much for you, as the entire point of OCSP is to validate the certificates you encounter when hitting SSL enabled sites.
If you just deny the connection each time, you can’t validate the cert.

I’d probably be ok with a published privacy policy dictating that the information disclosed via OCSP would never be used for any purpose beyond validation of a certificate in question.

By: David

David — Tue, 16 Jun 2009 03:41:21 +0000

COMMENTS PLEASE:I think this should be done but I am open to your comments:

Leave the “safe browsing, alert for fraudulent websites” on. Say no to it when it pops up in Little Snitch for sites you wish to remain private: peer to peer sites etc…

If you are going to a banking site you then will have it on for “security”
I presume OCSP does not compromise your secure online banking processes. (your thoughts)

By: Mary

Mary — Fri, 29 May 2009 15:35:59 +0000

what do you mean by “security”? Isn’t privacy going to be more important and aren’t most of the sites out there having the same security issues? I use Noscript to try to protect my security and I am glad to know that my privacy was being violated. Unless I know of some other reason to allow it, I think I’ll set little snitch to deny this.

By: McKs

McKs — Mon, 18 May 2009 18:42:36 +0000

I’m seeing the LS alert at regular intervals, browser running or not. Haven’t been able to figure out what is requesting certificate verification on a such a regular bases, but I don’t like (not knowing) it.
Also, I rarely use Safari, Camino being my default browser.

By: Elmz

Elmz — Wed, 13 May 2009 15:33:15 +0000

Thanks for the write up, I just ran into the exam same scenario. I really liked using Safari but I guess I’m going back to FF…

By: bill

bill — Mon, 11 May 2009 18:18:56 +0000

sounds like the better choice is just not to use safari. then again, why would you, unless for testing. thanks for the info!

By: dvromeu

dvromeu — Tue, 03 Mar 2009 20:31:32 +0000

I ended up here also after asking myself what exactly ocspd was and what it was doing…

Like you say, it’s a choice between security and privacy…

By: adam

adam — Tue, 24 Feb 2009 12:06:58 +0000

Depends on what is important to you – EV SSL certificates can’t be verified without it.
It’s the age old problem of trading security for privacy.