ocsp response

eden23 · March 17, 2011, 9:37pm

Hi there everybody,
I’m running several customization products from Stardock. (http://www.stardock.com/)
Some of their software, specifically WindowFX and Deskscapes, constantly connect to the internet to download ocsp-response files from Comodo CA Ltd.
Here are some sample IP Adresses:
Wfx - 149.5.128.169 / 91.199.212.169
Deskscapes - 91.209.196.169 / 149.5.128.169 / 91.199.212.169.
Both applications want to access the internet about once a week.
Questions:

Why those conections? What is being downloaded?
How can it be stopped?
Anything to shed light on this will be greatly appreciated…

salvatoreg · March 18, 2011, 3:59am

OCSP is Online Certificate Status Protocol. It’s a method by which a digital certificate certificate is checked for validity via the CA that issued it.

eden23 · March 18, 2011, 5:53am

Hmm… why does it happen so frequently and why does other software never download ocsp responses.
Personally I’m totally satisfied with any certificate status, so how can it be stopped?

salvatoreg · March 18, 2011, 3:28pm

It happens a lot more rapidly because a certificate can be revoked at any time. These OCSP responses take up MINIMAL bandwidth (less than 1K in file size.)

IE, Opera, Firefox, Chrome, Safari and MOST modern web browsers download OCSP responses. It’s just you don’t see them as these happen predominately in the background. There are other programs that would use OCSP, but these are the main ones.

Personally I'm totally satisfied with any certificate status,

You're satisfied with a revoked or expired certificate?

so how can it be stopped?

Contact whomever created the program.

eden23 · March 18, 2011, 6:45pm

Thank you Sal Amander for your quick response and the clearing up.
To be sure, I already submitted a support ticket to stardock. Havent received any reply, yet.
I posted here, anyway, because I hoped there would be some sort of system setting in Windows…
You asked:
You’re satisfied with a revoked or expired certificate?
In the case of a working software that’s not supposed to access the internet at any time the answer is definitely: yes.
That’s probably what I don’t understand about the whole thing here. What if the certificate were revoked or expired? I’d still be using the software. Seems like this is more something concerning the developer, and not me, the user.

salvatoreg · March 18, 2011, 7:37pm

Does Stardock hold any passwords or other sensitive data (credit card data, user/password, etc.) that might be transmitted across the Internet? If so that’s why there is an SSL certificate in place and thus OCSP being used.

eden23 · March 19, 2011, 7:41am

Generally they probably do hold some kind of sensitive data, but definitely not in conjunction with this software, which is just supposed to sit on my desktop and do its work locally.
I’m waiting for reply from their support now…