OCSP related issue with portal

Hi All,

Actually we are facing some issue with scanning our portal with https://www.hybrid-analysis.com/

After scanning it is marked as suspicious due to some suspicious Indicators. You can go through with below URL to check scanned report:

https://www.hybrid-analysis.com/sample/5bb7fc12d01cf67f162d781bbfa28436e8fe0d406de0189f8cc084c6dd4c836a/5cf128aa038838d0739dac6d

Please have a look in “Suspicious Indicators” section, it is showing a URL “http://isrg.trustid.ocsp.identrust.com” marked as malicious. Previously it is showing one more URL in this section of letsencrypt.

After some R&D, I found that these URLs are related with OCSP (Online Certificate Status Protocol), to resolve this issue I enabled SSL stapling on server. After that letsencrypt URL has been removed from this report but another one “http://isrg.trustid.ocsp.identrust.com” is still showing in report. Can we enable multiple SSL stapling on server. I found a reference on below URL for the same:

But how can we do this. Or suggest some other way to resolve this. Please help me to resolve this issue.

1 Like

Why does it need to be resolved?

  1. Do you really require that scan to be perfectly correct? Or is it something you’d rather want?
  2. It says: “1/70 reputation engines marked (…)”. Just one out of seventy! That’s probably just a false positive. I would say: ignore it.

Not really. The only news since that thread was posted is that the multi-stapling extension was deprecated in TLS 1.3! If any TLS implementations ever supported it, they’re likely to remove it.

3 Likes

I agree with Osiris, this sounds like a single reputation engine that either doesn’t understand OCSP, or has flagged the Identrust because it’s been seen on a hacked website at some point (despite the millions of unhacked websites that also point to it). Since hybrid-analysis gives no insight into which provider is doing this, your best bet would probably be to contact them about the false positive.

2 Likes

I agree with you all, but when we are trying to deploy our portal on any highly secured domains like banking, FMCG , they need clear report. It shows suspicious currently.

1 Like

From the report:

Found an IP/URL artifact that was identified as malicious by at least one reputation engine
1/70 reputation engines marked “http://isrg.trustid.ocsp.identrust.com” as malicious (1% detection rate)
source External System
relevance 10/10

Maybe the “External System” is “CRDF” : https://www.virustotal.com/gui/url/39ab155edefebd7856db462f6d18442b41fd5ce47237a0f845ee450b78a9043d/detection
Someone from Let’s Encrypt/IdenTrust could contact them here: https://threatcenter.crdf.fr/false_positive.html

if you want to you can change intermediate cert to ISRG root x1 signed one, then it won’t call to isrg.trustid.ocsp.identrust.com . but keep mind the it isn’t in trust store until android 7.1.2 (other OSs are mostly have update trust store other then OS version)

And they need one exactly from that “Hybrid analysis”? Looking at it, I’m not really convinced of its reputability.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.