HTTPS. SSL. CA. CRL. OCSP. Cessation of Operation. Confused yet?
Firefox 3 seems to be very proactive in the area of web security. Sometime last night, a client’s SSL certificate got inexplicably revoked by GoDaddy. Firefox was kind enough to give a big fat warning message that the certificate had been revoked, blocking access to the site. IE8 on the other hand, let you through to the site without any hint that there was a problem. After a bit of research, we figured out that the certificate had been listed on GoDaddy’s certificate revocation list. We were able to re-issue the certificate and problem solved.
Now about browser security…
The ability to revoke a certificate is a core feature of SSL because it allows a certificate authority to revoke a certificate if it has been stolen or otherwise compromised. There are two methods for a certificate authority to revoke a certificate, a certificate revocation list (CRL) or the online certificate status protocol (OCSP). OCSP is an alternative to CRLs, and is meant to address some of the shortcomings of CRLs. (You can read Wikipedia for some of the details.) However, both of these methods require that the client browser has support for it and that the check is enabled.
As we discovered, Firefox 3 by default checks OCSP for all certificates. IE7 and up on Vista has support for OCSP, but it is not enabled by default. From what I can tell, the default settings IE and Chrome on XP do not have “Check for server certificate revocation” enabled, and I can’t even find an option like that in Safari 4 on XP. Wikipedia has more information about browser support for OCSP.
Just why are CRLs and OCSP important? Imagine this scenario:
You’re a fairly tech-savvy person who likes the convenience of online banking. Your bank has suffered an attack from an unknown hacker, but they don’t know the full extent yet. The hackers have stolen the bank’s SSL certificate and key, and somehow hijacked the bank’s DNS to point to their own server. The hackers pose as your bank with a replica of the website, all the way down to the stolen SSL certificate. Your bank, being good security-minded people, have called their certificate authority and had the old certificate revoked and a new one issued. Now when you try to go to do your online banking, you end up at the hackers’ fake website. A secure browser would see that the certificate provides URLs where the certificate authority has their certificate revocation list (CRL) and the online certificate status protocol (OCSP) server. The browser would either download the CRL and check to see if the certificate provided is on that list or query the OCSP server to check the status of the certificate. Since your bank had the old certificate revoked, your browser would give you a giant stop sign with all sorts of flashing lights and alarms telling you that the site you tried to go to shouldn’t be trusted.
Without checking for the certificate’s revocation, you’d end up unknowingly giving the hackers your login credentials to your online banking. A few minutes later, your accounts are dry and all your money moved to some hidden account in the Bahamas.
Tags: certificate revocation, firefox, ie8, secure certificates, security, ssl
Thanks Jeffrey,
This is very important information. I have turned this on for my IE.
I too looked in Safari 4 for a indication of whether it would check a revoked certificate and didn’t find it. But a quick search found a fixed bug report that indicated that Before Safari 4.0 there was a problem with this, but from 4 onwards Safari should act like Firefox and there in no user setting to turn it off.
Matthew
In IE8, go to Tools…Internet Options. Visit the Advanced tab and scroll down to the Security options. Tick the box that says “Check for server certificate revocation” and confirm that “Check for publisher’s certificate revocation” is also checked. Then restart your browser.