website-evidence-collector icon indicating copy to clipboard operation
website-evidence-collector copied to clipboard

Published 20 hours ago verified publisher icon EU-EDPS

Unexpected OCSP requests caused by WEC

Open marksweb opened this issue 4 years ago • 2 comments

I ran this tool earlier today to generate a report on a domain.

Running a local server since then is showing requests coming from somewhere, which seems rather coincidental.

These are the requests I'm seeing;

[14/Jan/2021 17:03:20] "GET /ocsp-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIHOTNg61vyxk%3D HTTP/1.1" 302 0
[14/Jan/2021 17:03:20] "GET /ocsp-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIHOTNg61vyxk%3D HTTP/1.1" 302 0
[14/Jan/2021 17:03:20] "GET /ocsp-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIHOTNg61vyxk%3D HTTP/1.1" 302 0
[14/Jan/2021 17:03:20] "GET /ocsp-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIHOTNg61vyxk%3D HTTP/1.1" 302 0
[14/Jan/2021 17:03:20] "GET /ocsp-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIHOTNg61vyxk%3D HTTP/1.1" 302 0
[14/Jan/2021 17:03:20] "GET /ocsp-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIHOTNg61vyxk%3D HTTP/1.1" 302 0
[14/Jan/2021 17:03:20] "GET /ocsp-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIHOTNg61vyxk%3D HTTP/1.1" 302 0

Does this tool start ocspd on macOS and it perhaps didn't stop the process?

marksweb avatar Jan 14 '21 17:01 marksweb

Thank you for sharing. We use the tool mostly with Linux. I have not seen this traffic yet.

The Website Evidence Collector does not integrate ocspd. However, maybe the chromimum compontent launches it in some circumstances.

Can you better describe how you have installed the WEC, the launch options and where precisely you witness this traffic? With which tool?

ghost avatar Jan 14 '21 17:01 ghost

Yeah, sorry, some vital details missed there @rriemann-eu

So I installed from github with; npm install --global https://github.com/EU-EDPS/website-evidence-collector/tarball/latest

Then I ran the tool with no args and then with website-evidence-collector --quiet --yaml --no-output

I'm seeing the traffic while I'm running a django runserver (through pycharm) on port 80

marksweb avatar Jan 14 '21 23:01 marksweb