Reminder they webpki is still completely broken - now Google OCSP down http://clients1.google.com/ocsp Wonder if there is a targeted attack happening now
-
-
Replying to @letoams
Can you tell me precisely what http://clients1.google.com/ocsp is used for? I thought Chrome no longer used OCSP. What's the practical consequence of this service being down?
1 reply 1 retweet 0 likes -
Replying to @dangoodin001 @letoams
This is the OCSP responder for Google's CA. When an OCSP-using client (i.e. not Chrome) connects to a Google website, it will attempt to contact this OCSP responder to see if certificate is revoked.
1 reply 0 retweets 4 likes -
If the client hard fails on OCSP errors, then the client won't be able to access Google websites. No mainstream browser hard fails by default, so practical consequence is likely minimal. Some non-browser clients might hard fail on OCSP errors, but I don't know of any.
2 replies 0 retweets 1 like -
Also, as a publicly-trusted CA, Google is required to "maintain an online 24x7 Repository that application software can use to automatically check the current status of all unexpired Certificates issued by the CA" [Baseline Requirements]. They are currently in violation.
1 reply 0 retweets 0 likes
CAs have a history of operating unreliable OCSP responders, but people expect Google to do better, which is why this is being remarked upon.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.