Microsoft OSCP Stapling and Certificate Revocation Disablement #3881
Unanswered
SSJPKXL
asked this question in
Various ideas and suggestions
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I think it would be great if Sandboxie could completely block Certificate Verification, Revocation, and OCSP stapling-related checks for Sandboxie Crypto. Windows, for example, forces users to visit ctldl.windowsupdate.com domain for certificate verification and exchanges information in plain text over TCP port 80. Mentioned address can't be blocked in hosts file and 3rd party software (or hardware) must be used to block that domain because it is hardcoded in DNSAPI. You can disable certificate root checks in GOP, but doing so results in Windows reaching out to microsoft.com instead of ctldl.windowsupdate.com. On top of that, ctldl.windowsupdate.com has a bunch of canonical names that change all the time. It is hard to keep up with them.
Visiting Microsoft root certificate stores reveals more information about OS than it helps with security. Modern browsers like Mozilla Firefox have their own certificate stores and I think Chrome added its own root program back in 2022.
For now Sandboxie Crypto can be blocked with a firewall, but I think it is best to have a feature to just disable access to Microsoft Root Certificate stores.
Beta Was this translation helpful? Give feedback.
All reactions