> simple pieces can become incredibly useful when you find a clever way to combi...

pdkl95 · on July 15, 2015

I find it difficult to believe you cannot answer that question on your own.

The difference is that OCSP provides a needed service, the very purpose being related to a TLS connection that the user requested. Checking the CRL is an important part of the TLS security process, and it would be stupid to ignore it.

A favicon provides no security benefit, and is entirely optional.

Yes, it may be true that making a GET request for both a CRL and a favicon might leak more or less the information. That isn't relevant, and misses the point entirely about minimizing the network. We don't know what data is useful. It is entirely possible that the situation can change in the future and previously harmless data can become a part of something greater.

Minimizing network use to what is necessary is an implementation of the "default deny" policy, and it is the only sane security policy because we cannot predict the future. Enumerating badness[1] is always going to end up playing catch-up.

[1] http://www.ranum.com/security/computer_security/editorials/d...

Manishearth · on July 15, 2015

I was talking about the safe browsing request. Arguably that's even more important to the average user than TLS safety. MITMs are rare, malware sites are plenty.

I do think that the favicons could just be integrated.

I don't think there's any point minimizing the network in this specific case. "We don't know what data is useful.", sure, but any other data this can be compounded with _already contains the same information_.

Though yes, stuff could change in the future. I can't see how it could change in any way to make this useful, but you're right, this isn't something we can predict. That point is valid.