question about ocsp

[tijara]

Probably a clueless question, but I can't find an answer. If I enable "block all unencrypted requests" on HTTPS always, my browser slows down dramatically. It's usually after using !bangs. At the same time, I see hundreds of requests to http://ocsp.pki.goog/ and https://ocsp.pki.goog/ logged in ematrix. Everything works again if I uncheck that option in HTTPS always, but why are part of these requests to Google unencrypted? Is this behavior normal? Is this why I need the HTTPS inquirer companion?

(Posting here because it's not a help request / bug report but mere curiosity for an explanation).

[Moonchild]

You're probably making spurious requests for embedded resources due to the way https always does this.
It's strongly discouraged to use an extension for what the internet has already-established standard methods for. If you want to use opportunistic encryption (using encryption whenever available) then please enable it in Pale Moon's preferences (security category) and uninstall https always.
OCSP is a public request, it doesn't have to be encrypted and in general these requests are always performed over HTTP (because otherwise you may run into the chicken-and-egg problem that the OCSP request itself needs OCSP validation).
Please see https://en.wikipedia.org/wiki/Online_Ce ... s_Protocol for more details.

[tijara]

Thanks, I completely missed those options and it makes a lot of sense that OCSP requests may be unencrypted. Is enabling these options still a security risk as of 2020?

[Moonchild]

Is enabling these options still a security risk as of 2020?

What security risks are you talking about?

[tijara]

What security risks are you talking about?

The ones explained in the Help file of the browser, after all they're unchecked by default.

[Moonchild]

Oh the technology drawbacks are not in any way different. They are inherent to it.
If anything using the extension before merely amplified the issue that use of OE might have.

[tijara]

Thanks!