Privacy

2229 readers

135 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 2 years ago

MODERATORS

Ategon@programming.dev

danielintempesta@programming.dev

It happened today: Youtube no longer works on Librewolf for me. (infosec.pub)

submitted 2 weeks ago by PhilipTheBucket@quokk.au to c/privacy@programming.dev

20 comments fedilink hide all child comments

Presumably, there is some kind of way I can work around it, I saw something about clearing the cache because of stored failures of handshaking, but it seems like on the whole maybe it is time to start fuckin' with Peertube or something instead.

you are viewing a single comment's thread
view the rest of the comments

[–] ignirtoq@fedia.io 6 points 2 weeks ago (1 children)

We enable OCSP in hard-fail mode, meaning that if the revocation status of a certificate cannot be verified because the CA cannot be reached, then it will be treated as broken.

The fact that not every application that uses TLS certificates does this blows my mind. Certificate revocation should be a valid tool to deal with the compromise of cryptographic credentials, but if applications don't check, then they're opening themselves (and their users) up to a security vulnerability.

[–] PhilipTheBucket@quokk.au 2 points 2 weeks ago

Honestly, the chain of trust model for TLS certificates is just broken from top to bottom in practice. It's sort of along the lines of "anyone could walk past the building / into the apartment building basement and start flipping switches or fucking things up with the HVAC system" / "paper checks can be forged by anyone who cares" type of thing: It's mostly just that no one cares enough to exploit the problems with it. But yeah, for anyone who takes seriously things like CA root certificates staying secure and is bothered when they're not, they basically spend their entire time that is thinking about it being bothered by it, because right now it's all broken.