Beep boop - this is a robot. A new show has been posted to TWiT…
What are your thoughts about today’s show? We’d love to hear from you!
Another banger of an episode!
For what it’s worth, here’s what I see when I point Brave on macOS 14.6 to the site:
It appears that Steve’s HTTPS server was caching the certificate stable from when it was valid (before it was revoked.) Eventually the cache expired and it no longer stabled it as valid and thus browsers could detect it had been revoked. (It appears that a staple overrides any lookup attempt… which I guess makes sense as that was the purpose of stapling in the first place, to save the delay of any lookup.)
Firefox has a selection in their settings to check OCSP server for cert revocation. Brave does seem to check. Not sure if that is through OCSP or not.
I can confirm that revocation did work for me (showing the proper “Not secure”) warning, on:
- bare, unconfigured Google Chrome on Ubuntu Linux
- bare, unconfigured Chromium on Ubuntu Linux
- stripped down Firefox on Ubuntu Liunx, with Revocation fully enabled (as I always had)
- stripped down Firefox on Android, with the config synced from the Ubuntu Linux Desktop
So it seems I just got lucky, or it only took some time to distribute the revocation, which in itself is a bad sign, but better than nothing at least.
Kinda. Steve promises more discussion on this in this weeks Security Now episode, so stay tuned. 