Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: mad_cowed_disease
mad_cowed_disease Author
User level: Level 1
0 points

Blocking browser connections to ocsp urls?

I use Little Snitch to block a bunch of advertising and tracking domains as I surf...for fun more or less. It's like using duckduckgo as my search engine, essentially.


If I am merely using a non financial, non shopping site - like a social media one - while logged into that site, does it matter if I block all access to a given ocsp url, like evintl-ocsp.verisign.com when I'm logged onto this site?


In other words, if I block what I think is a certificate retrieval of some sort here, with only a temporary Little Snitch rule, will my OS go and find some substitute certificate which then could later present a security risk to me at some other, more sensitive site, like a financial or shopping one when a certificate is needed? So will it result in my Mac winding up with bogus certificates in some way?

Posted on Jun 9, 2013 2:25 PM

Reply
5 replies
User profile for user: Klaus1
Klaus1
User level: Level 9
52,749 points

Jun 10, 2013 2:15 AM in response to mad_cowed_disease

This reply from Varjac Paw in another thread may answer your question:


ocspd is the "Online Certificate Status Protocol" daemon that processes all certificate validation. This handles both CRL - Certificate Revocation Lists & OCSP - Online Certificate Status Protocol validation of certificates. It's part of both the part of the Keychain and certificate framework. Verisign is one of the common providers of Internet certificates so it's one of the services the ocspd process will contact for certificate updates and verification.


You do want to allow this process to connect, yes. Only if it were attempting to contact some completely unknown site would it be cause for followup to verify the site.


https://discussions.apple.com/thread/2006046?answerId=9464357022#9464357022

Reply
User profile for user: mad_cowed_disease
mad_cowed_disease Author
User level: Level 1
0 points

Jun 10, 2013 5:18 AM in response to Klaus1

As I stated in my specific question I am quite sure I would not like to let this connection take place, since it doesn't involve a financial transaction of any kind. I enjoy blocking as many tracking techniques as I can...for fun.


My question was whether blocking the connection in the situation I described would create a bad certificate somewhere in my OS which could have a negative security effect when I later surf to some site for which I actually do need a measure of security, say, as when I use a credit card.

Reply

Blocking browser connections to ocsp urls?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up