• caglararli@hotmail.com
  • 05386281520

Do VPNs log and analyze OCSP requests?

Çağlar Arlı      -    11 Views

Do VPNs log and analyze OCSP requests?

I am a privacy-conscious user currently living in Russia where the Internet is censored and monitored by the Russian state. Russian ISPs are legally required to log and store all users’ Internet traffic (even though in practice they seem to only log metadata if the traffic is encrypted with TLS, and many smaller ISPs violate the law by not maintaining logs at all) and provide it to law enforcement upon request. Russia blocks many popular VPNs, and Tor is only accessible through non-public bridges unknown to the Russian censorship authorities (they block the bridges they discover).

In this kind of an environment, it seems that using just about any VPN is better than using no VPN, even if the VPN in question is a “honey trap” controlled by the Chinese and logging users’ traffic in violation of its own privacy policy, as a recent leak has shown. Thus, in order to remain more private on my iPad, I further route much of my web traffic through the Onion Browser, using a User → VPN → Tor → Internet tunnel.

However, due to iPadOS limitations, the Onion Browser leaks information about the traffic through OCSP requests that are handled on the operating system level and are not routed through Tor, but only through the system-wide VPN I’m connected to. Given that an OCSP request contains the serial number of the website’s certificate which can be easily used to look up the domain (for example, at crt.sh), OCSP leaks somewhat defeat the purpose of using Tor in a situation where I don’t need to conceal my identity from the website I’m visiting, but want to hide my traffic from Russian ISPs, the Russian state, and a potentially nosy VPN.

So my question is the following:

How much of a privacy concern should be the fact that a VPN has access to my OCSP requests? Is there any information (official or leaked) about whether VPNs that log users’ traffic (openly or covertly) only log the traffic’s metadata or also its content? Has a logged OCSP request ever been used to unmask a user’s traffic?

P.S.: I can (and occasionally do) connect directly to Tor through a bridge that the Russian state seems not to know about, but am concerned that it increases the likelihood of the bridge being discovered and blocked (Russian ISPs are known to be using DPI), so I want to keep Tor bridges as a fallback option.