User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release) Build ID: 20140314220517 Steps to reproduce: Install Firefox on OS X Install Little Snitch Reboot Start Firefox Expected results: As many built-in connections as possible are made encrypted channel(s) As many security critical functions are made over encrypted channel(s) Actual results: I notice Firefox tries to make a connection to ocsp.godaddy.com on port 80 I notice Firefox tries to make a connection to ocsp.digicert.com on port 80 Upon browsing a page encrypted with an EV certificate chain, I notice Firefox tries to make a connection with evsecure-ocsp.geotrust.com on port 80. Proposed Change: Change all of these service endpoints to HTTPS connections

Note that users install Firefox on laptops and travel to hotels, etc. where the first few minutes of web browsing are not secure or correct; where replies to all web requests may conceivably be fake replies from Wifi walled-gardens or whatnot. Any such encrypted connection attempt results in an obvious failure; but any unencrypted connection is subject to false information being returned by the walled garden or indeed any other Man-in-the-middle at any time. Such a maliciously returned result will presumably be implicitly trusted by Firefox, and: - legitimate certificates may be revoked by a false reply to ocsp query; - truly dangerous certificates may be omitted from the revocation list; and then used to further the attack on the user - other possible outcomes from a lack of guaranteed trustworthy ocsp reply.