[Mozilla Enterprise] security.OCSP.require - Breaks Many Sites

Eddie Rowe eddie.rowe at tdhca.state.tx.us
Tue Feb 25 22:12:54 UTC 2020 

The Center for Internet Security publishes a number of security baselines.  Firefox’s baseline is very old and does not appear to be updated so I took the older ESR version and looked at Policies and settings to come with my own newer version.


“4.6 (L2) Set OCSP Response Policy (Scored)

Profile Applicability:

 Level 2

Description:

This setting dictates whether Firefox will consider a given certificate to be invalid if Firefox is unable to obtain an Online Certificate Status Protocol (OCSP) response for it.

Rationale:

Requiring an OCSP response will reduce an adversary's ability to successfully leverage a compromised and revoked certificate.

Audit:

Perform the following procedure:

1. Type about:config in the address bar

2. Type security.ocsp.require in the filter

3. Ensure the preferences listed are set to the values specified below:



security.ocsp.require=true

Remediation:

Perform the following procedure:

1. Open the mozilla.cfg file in the installation directory with a text editor

2. Add the following lines to mozilla.cfg:



lockPref("security.ocsp.require", true);

Impact:

Enabling OCSP carries potential privacy implications. For each HTTPS site Firefox visits, a request is sent to an OCSP server to determine if the site's certificate has been revoked. This provides the OCSP server with the IP address of the requester (Firefox or NAT) and, among other properties, the domain name of the site Firefox is accessing.
Additionally, requiring an OCSP response increases opportunity for valid certificates to be deemed invalid. This may occur if OCSP server becomes unavailable or is not accessible.
Firefox 26+ support OCSP Stapling which mitigates the aforementioned privacy implications.
Default Value:
false

https://www.cisecurity.org/benchmark/mozilla_firefox/


From: Mike Kaply <mkaply at mozilla.com>
Sent: Tuesday, February 25, 2020 2:04 PM
To: Eddie Rowe <eddie.rowe at tdhca.state.tx.us>
Cc: enterprise at mozilla.org
Subject: Re: [Mozilla Enterprise] security.OCSP.require - Breaks Many Sites

Where did you get this recommendation?

Mike

On Tue, Feb 18, 2020 at 3:18 PM Eddie Rowe <eddie.rowe at tdhca.state.tx.us<mailto:eddie.rowe at tdhca.state.tx.us>> wrote:
// 4.6 (L2) Set OCSP Response Policy
defaultPref("security.OCSP.require", true);

I have enabled this setting in ESR 68.4 x64 and many sites such as Google and even Mozilla just do not work.  I don’t see how this could be adopted at a company level without created chaos.  Are there persons still using this setting?  Have you adjusted other settings to help out Firefox?

Example site that does not work with this setting set to true:
https://support.mozilla.org/en-US/questions/1169855<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.mozilla.org_en-2DUS_questions_1169855&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=x4xnAy81ZJ6ezld36K8XvRnmYgyXP4N1mgDsgXjxNvw&s=1gfyof2BDbKdaMtS3X1yoavdemIu5fMDFWHFXT93r2s&e=>

Error:
“Secure Connection Failed

An error occurred during a connection to support.mozilla.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__support.mozilla.org&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=x4xnAy81ZJ6ezld36K8XvRnmYgyXP4N1mgDsgXjxNvw&s=k-oJjLpgKiazaRkgpbJD84MDnC50VXZxOlLxZdUFpus&e=>. The OCSP server experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.”


_______________________________________________
Enterprise mailing list
Enterprise at mozilla.org<mailto:Enterprise at mozilla.org>
https://mail.mozilla.org/listinfo/enterprise<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.mozilla.org_listinfo_enterprise&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=x4xnAy81ZJ6ezld36K8XvRnmYgyXP4N1mgDsgXjxNvw&s=N37LXZPziqVHUwJMZrqHk6XLMbxeFwJsTtyDhrVK2yY&e=>

To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.mozilla.org_listinfo_enterprise&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=x4xnAy81ZJ6ezld36K8XvRnmYgyXP4N1mgDsgXjxNvw&s=N37LXZPziqVHUwJMZrqHk6XLMbxeFwJsTtyDhrVK2yY&e=> or send an email to enterprise-request at mozilla.org<mailto:enterprise-request at mozilla.org> with a subject of "unsubscribe"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200225/2cec9735/attachment.html>

More information about the Enterprise mailing list