

Mac users: enable certificate revocation checking - gmac
http://securityskeptic.typepad.com/the-security-skeptic/2011/04/mac-users-listen-up-enable-certificate-checking.html

======
agl
Setting OCSP checking to best attempt doesn't really solve anything because,
if you're assuming that an attacker is MITMing your HTTPS connection, it's not
too much more to assume that they can intercept your OCSP checks too.

<http://www.imperialviolet.org/2011/03/18/revocation.html>

On the other hand, setting strict checking means that large parts of the web
become unusable when a major OCSP server goes down and that would immediately
make them juicy DDoS targets.

~~~
bdhe
> Attacks in Tunisia and only open WiFi networks are the sort of attacks which
> can defeat revocation.

Could you give more details about this statement from your essay?

------
newman314
IIRC, another drawback of enabling this is that you reveal your browser
history. On mobile device right now so not easy to find article to cite but
should be avail via a quick search

------
blinkingled
And of course after enabling this for Safari the Mac App Store starts to hang
on startup in Certificate check code path. :(

I recently enabled "Logout after idle for [ ] min" setting to be more secure
on OSX and LoginWindow just hangs if I leave the laptop idle and let it go to
sleep.

Looks like Apple only tests for default and common settings.

~~~
Entlin
I enabled it as well. App store doesn't hang, but is much slower: downloading
an app normally starts after 1 second, with the fix enabled it takes 8s to
even start.

LoginWindow sleep worked fine when logging off and pressing the sleep button.
Didn't have time to properly test your case.

The big question for me is: How do people with iPhone and iPads enable this?
The test in the article yields "not trusted" instead of revoked...

Funny that Apple has revoking turned on for App certs, but not for SSL. Guess
they value their platform higher than user data...

~~~
blinkingled
About the LoginWindow - I have password protected screen saver enabled as
well. Perhaps that's what you are missing.

For me after I wake it up from sleep after 60 minutes (the setting for idle
logout), it wakes up to a beach ball and I can't enter my password.

------
mattparcher
The recommended settings[0] in Keychain Access.app appear to be the defaults
in the Lion (10.7) Developer Preview 2.

[0] _Preferences > Certificates:_

    
    
      Online Certificate Status Protocol (OCSP): Best Attempt
      Certificate Revocation List (CRL): Best Attempt
      Priority: OCSP

