Chrome/Firefox aren't checking CA revocation lists
Chrome isn't checking revocation lists anymore (source: https://www.imperialviolet.org/2012/02/05/crlsets.html) so for everyone reissuing keys today, their sites are still vulnerable for Chrome users, right?
I checked Google's own (custom) CRL and they don't have any serials from Comodo or Verisign's revocation lists, but they do have some from GoDaddy. Verified with https://github.com/agl/crlset-tools.
Update: Added Firefox to title based on mbrubeck's findings.
34 comments
[ 5.0 ms ] story [ 87.1 ms ] threadhttps://mail.mozilla.org/pipermail/firefox-dev/2013-April/00...
https://mail.mozilla.org/pipermail/firefox-dev/2013-May/0003...
https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...
https://wiki.mozilla.org/CA:ImprovingRevocation
Such an attacker can obviously also block the CRL/OCSP lookup if one is made. Even with revocation checking enabled, no browser that I know of will fail a TLS handshake if the revocation check is blocked.
(You can configure Firefox to do this. Tools -> Options -> Advanced -> Encryption -> Validation, check the box for "When an OCSP server connection fails, treat the certificate as invalid" - so says https://wiki.mozilla.org/CA:OCSP-HardFail)
I claim that soft-fail revocation checking is basically nonsense. That's the point that I'm making in https://www.imperialviolet.org/2012/02/05/crlsets.html.
Making it hard-fail isn't viable: it makes OCSP servers a single point of failure for huge parts of the web. That's why Chrome has a CRLSet system that actually can achieve real goals. The attacker has to persistently MITM the client in order to block the CRLSet update.
The CRLSet is limited in size. I had hoped that CAs would use the reason code mechanism in CRLs to remove the "administrative" revocations that dominate their CRLs. (Those are revocations where there's no suggestion of compromise.) Some do, but most don't.
It's not true that the CRLSet doesn't include any Comodo or Symantec (who now own Verisign's old CA business) CRLs. In fact, Symantec/Verisign CRLs are the biggest contributor to the CRLSet.
But it's true that the CRLSet is limited in size. We focus on CRLs for CA and EV certificates. I don't think the world has a great answer to the revocation problem when certificates are valid longer and longer periods.
It appears there is already an (expired?) internet draft for this: https://datatracker.ietf.org/doc/draft-pala-rea-ocsp-over-dn... http://tools.ietf.org/html/draft-pala-rea-ocsp-over-dns-00
But i could not find any browser support or even plugins.
I guess all current development is behind DANE and/or multi-OCSP-stapling; second one has some chance of being deployed soon.
https://bugzilla.mozilla.org/show_bug.cgi?id=611836 https://datatracker.ietf.org/doc/rfc6961/
--igor
I was using crlset-tools to test the list against an intermediate Comodo CA and the intermediate/anchor certs for Versign and it didn't return any results. I did the same thing for DigiCert and it did return some, so I assumed what I was doing was correct.
We don't have all CRLs for all CAs (sadly). Some CAs have also asked for the list not to be published so there's no list of the URLs that we do crawl either :(
I mean, by all means, rotate your key and get a new cert, but my guess is CRLs cannot handle making space for a majority of SSL'd domains in the list.
I don't want my browser hanging up a secure page load while it downloads that file... More to the point, I don't want a million dot com revocations getting in the way of my browser learning about that "Major Root CA" that was compromised last week.
> Such an attacker can obviously also block the CRL/OCSP lookup if one is made.
This is not at all obvious to me. Suppose you wanted to steal credit cards. The best place to do your MITM would be at the payment processor's connection to the net.
The clients doing the CRL/OSCP lookup will be connecting to the certificate authority, not the payment processor, for this. The MITM won't see them in most cases.
People who do their MITM close to the client can probably stop CRL/OSCP lookup, of course.
In that situation the attacker can pass DV checks as the server and so can get new certificates issued to themselves. Or maybe they stock up on certificates before attacking and use OCSP stapling to run out 7 days per certificate.
Basically, everything falls apart in that situation already.