<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
On 03/23/2013 02:44 AM, From Ryan Sleevi:
<blockquote
cite="mid:CACvaWvYrxxSZi=0uOMQONz6U76yogc2ORUKbg593eZzh2S1u4w@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra">
<div class="gmail_quote">
<div style="">If the browser has obtained a valid OCSP
response (eg: via OCSP stapling), they can skip obtaining
fresh revocation information - because to every compliant
implementation, it IS fresh revocation information.</div>
</div>
</div>
</div>
</blockquote>
<br>
Let me help you thinking here....in this case there was at least ONE
OCSP check done, whereas in your case it's NONE.<br>
<br>
For an attack to be successful you can't rely on the possibility
that A) the victim has visited the site beforehand and B) nothing
happened to the cache and C) the software being used doesn't check
OCSP again. This isn't a reliable attack and too risky of being
detected early.<br>
<br>
What you propose is the perfect attack with no chance to intervene,
very reliably for 7 days. Usually more than enough for the target.<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>