Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You could of course cache the list, only download whatever was new from a specific date. Short-lived certs would vastly reduce the list as well.

Not really sure how big of a problem a list could be?



Let's see. I can cache the information that example.com is valid up to May 31 2026, but then how do I know that it gets revoked on any day before that date?

And if I cache the information that it is revoked, how do I know that it's allowed again?

I could check, let's say one time per day even if I don't access that site.

In any case I'm still leaking which domains I browse and I keep trusting cached certificates until the next check.

On the other side, with short lived certificates I would be trusting a certificate for a longer time, until it expires.

Downloading a list of all certificates and their status from every CAs is probably unfeasible.

It seems that we can't escape a tradeoff between privacy and security.


You cache the revocation list, no? If it is in the list it is revoked...

How do you know it is allowed again? Because it responds with a new certificate, that isn't revoked...

You are not leaking anything. You are just downloading a list of revoked domains. Regardless of whether you are visiting them or not.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: