Microsoft OSCP Stapling and Certificate Revocation Disablement

[ghost]

I think it would be great if Sandboxie could completely block Certificate Verification, Revocation, and OCSP stapling-related checks for Sandboxie Crypto. Windows, for example, forces users to visit ctldl.windowsupdate.com domain for certificate verification and exchanges information in plain text over TCP port 80. Mentioned address can't be blocked in hosts file and 3rd party software (or hardware) must be used to block that domain because it is hardcoded in DNSAPI. You can disable certificate root checks in GOP, but doing so results in Windows reaching out to microsoft.com instead of ctldl.windowsupdate.com. On top of that, ctldl.windowsupdate.com has a bunch of canonical names that change all the time. It is hard to keep up with them.

Visiting Microsoft root certificate stores reveals more information about OS than it helps with security. Modern browsers like Mozilla Firefox have their own certificate stores and I think Chrome added its own root program back in 2022.

For now Sandboxie Crypto can be blocked with a firewall, but I think it is best to have a feature to just disable access to Microsoft Root Certificate stores.

[Aamlye]

Microsoft OSCP Stapling enhances security by improving the efficiency of TLS (Transport Layer Security) connections. It allows servers to obtain and cache OCSP (Online Certificate Status Protocol) responses from Certificate Authorities, reducing latency and enhancing privacy. This feature verifies the validity of SSL/TLS certificates, ensuring secure communication between clients and servers without compromising performance.