review OCSP

Is there a reason why OCSP is currently disabled by default in LW?

originally librewolf-community/browser/source#18 (comment 846506587)

this seems like a good time to take a stance on this, or at least to document this stuff. from a comment I posted elsewhere:

it's overall a bad implementation when compared to CRL:

it makes browsing slower.

it leaks the IP and the visited website to CAs.

you either hard-fail (not great for usability, prone to DDoS and CAs being down) or soft-fail (not great for security).

OCSP stapling solves these issues, but if the response is not stapled the browser will fallback to normal OCSP which brings back all the above problems.

Chromium-based browsers no longer support OCSP, in favor of CRL. of course nothing prevents us to enable it and then have CRL not falling back to it (it would be a backup solution basically).

edit: with the introduction of stapling this might have changed but I haven't had time to deep dive whether that's a default for all chromium browser or just some of them. if someone knows more, please share as I'm interested in collecting data on this (hence the research label).

notes:

OCSP is always stapled in Firefox, although as I mention it can go back to non-stapled mode when needed.
this block librewolf-community/browser/source#18 (comment 846506587) for now.

Edited Feb 26, 2022 by fxbrit