Does your browser rejected revoked certificates? (revoked.grc.com)
In my testing, the latest (Desktop) Chrome, Opera, and IE do but on Android neither "Browser" or Chrome do. The upshot being that even with Heart Bleed patched and everyone revoking their potentially exposed certificates there is still a problem.
73 comments
[ 3.7 ms ] story [ 122 ms ] threadHere is a write up stating why Chrome doesn't do this by default:
http://arstechnica.com/business/2012/02/google-strips-chrome...
http://i.imgur.com/aQdu7GO.png
Settings > HTTP/SSL > Check for server certificate revocation
The short version is that it's slow and not as effective as it might seem.
Cannot connect to the real revoked.grc.com
Something is currently interfering with your secure connection to revoked.grc.com.
Try to reload this page in a few minutes or after switching to a new network. If you have recently connected to a new Wi-Fi network, finish logging in before reloading.
If you were to visit revoked.grc.com right now, you might share private information with an attacker. To protect your privacy, Chrome will not load the page until it can establish a secure connection to the real revoked.grc.com.
I pressed reload a few times after a few minutes and still see the same page. Am I doing it right or what?
An error occurred during a connection to revoked.grc.com. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)
Using w3m I get a page beginning with the following text:
...Yes, this is totally a fanboy post :) But it's cool to see Steve still popping up in relevant security news almost 20 years later.
[1] https://www.grc.com/smgassembly.htm
Last I checked, the internet did not end while XP had raw sockets, and windows server retains this capability.
Steve Gibson did to raw-sockets what Jenny McCarthy did to vaccines.
https://www.grc.com/ssl/ev.htm
You'd think it's an odd mix of satire and CA salesmanship with a healthy dose of not understanding how anything works, but apparently he's serious.
He did take up Javascript a couple years ago because of a new-found value in client-side processing and canvas[1] for animation.
He's currently working on SpinRite 6.1 with modern I/O support and an authentication mechanism he came up with out of the blue called SQRL[2].
[1] https://www.grc.com/animation.htm [2] https://www.grc.com/sqrl/sqrl.htm
There are two methods of revoking a certificate, Certificate Revocation Lists and OCSP (Online Certificate Status Protocol).
CRL lists do not scale at all and are almost universally do not include all revoked certificates (startssl implements this correctly which is why they charge $25 to revoke a certificate).
OCSP is susceptible to a MitM attack (exactly the scenario in which you want it to work!).
An attacker can simply block OCSP requests and nearly all current browsers will silently ignore the failure.
They ignore such a failure because they are actually very common. The CA has to run an OCSP server that is queried continuously at high volume for no additional revenue, a model that doesn't exactly encourage robust operation.
The only way to effectively revoke certificates in the numbers necessary after heartbleed is for the CAs to revoke their intermediary certs and have everybody get a new cert free of charge.
Edit: for example here is the digicert CRL http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
The server is using OCSP stapling, which means the OCSP certificate is being sent directly by the https server, an attack would obviously not be sending an OCSP response indicating the certificate was revoked....
Implemented in the most paranoid manner possible every https request would result in an OCSP request.
That would be millions of requests per second for a large CA.
They have effectively no financial interest in actually supporting that.
> Certificate revocation does not work. [...] OCSP is susceptible to a MitM attack (exactly the scenario in which you want it to work!).
with
> The only way to effectively revoke certificates in the numbers necessary after heartbleed is for the CAs to revoke their intermediary certs.
That is, how are the intermediate certificates supposed to be revoked if certificate revocation does not work relibably ?
Also, I'd note that certification revocation can be made to work by the browser simply refusing to continue if it's unable to check certification revocation status (either due to an active MITM or other genuine network errors). Granted this comes at the cost of great user inconvenience, but that's almost always the tradeoff with increased security.
It's a much smaller amount of information, so a normal CRL can be used effectively.
You really cannot use a CRL to revoke millions of certs, but you can use them to revoke a few hundred.
Please elaborate. The CDP (CRL Distribution Point) allows for multiple strategies, some of which can scale quite well.
The Canadian government runs several PKIs with tens of thousands of active certs, many thousands of revoked, no problems at all, because of CDPs.
(Full disclosure: I worked for several years for the company that invented the CDP. I was not involved in the invention.)
(BTW, FF 28 detected the revoked cert just fine.)
Because thousands is off by several orders of magnitude.
Real public CAs are going to have to contend with revoking millions of certificates.
Each revocation cert is about 1KiB, so that's 1GiB of revocation data per CA.
That obviously does not scale.
How do you figure? Each revocation is by certificate serial number, which typically run 4 to 20 bytes, and the revocation date, with possible extensions for more information.
Add a little overhead for the signature on the list, etc.
Exaggerate wildly and call that 100 bytes per revocation: we're down to at most 100MB of revocation data for the million user case; that's not a lot of data.
It's probably closer to 20 or so bytes per revocation, ~20MB of revocation data. Spread out over as many CDPs as the CA wants to maintain.
The system used in the Canadian federal government creates one CDP per 375 users, so that CDPs are capped at roughly 750 certs each (each user has two key pairs, one for verification, one for encryption). At 20-100 bytes per revocation, that's 15KB to 75KB per CDP.
That's not much at all. And given that any given user interacts with a subset of all possible users, they won't have anywhere near all of the CRLs downloaded.
Broadcasting a signed blacklist shouldn't be that hard, given both a wide variety of sites that all want the latest version to be available, and the example of peer-to-peer networks. Also, 'Google Safe Browsing' reliably, and in a semi-privacy-protecting manner, informs multiple browsers of a blacklist of scam/malware sites.
I can see the problem has some tricky parts to it... but it doesn't seem any parts are thorny, intractable problems.
Have CAs prepare a digest (maybe bloom filter?) of revocations regularly. Sign the hash of this digest, and make the digest available via many redundant paths (mirrors, CDNs, P2P networks). Interested servers – perhaps every server reliant on a certain CA – gossip via headers (or even DNS) about the latest and greatest CRL versions they've seen.
Then browsers can be reasonably sure they've got the latest, or that it's somehow being kept from them (gossip from third parties says there's a signed later one, but all usual sources are unreachable) – without an extra, slow, privacy-compromising poll every new TLS session.
Pirates have no problem flooding the world with fresh media files, against active legally-privileged interdiction efforts, with each such file much larger than all revocations ever. Why can't certificate/TLS professionals and "cyber infrastructure authorities" match that?
It could be available via anycast akin to DNS, or p2p as gojomo suggests. Lots of places use DNS to operate blacklist/RBLs - some with very large datasets which would break the internet if they ever become unavailable.
You're no longer on "the internet", you're on some attacker-chosen & time-lagged subset... and you need to know that before connecting to sensitive sites.
I have to second this. Just days after the Heartbleed disaster struck, my Firefox (v24; Debian "Iceweasel") sometimes takes more than 30 minutes (!) to load SSL-encrypted websites, as it first downloads some 50MB of CRLs from ocsp.comodoca.com (verified what it is doing using tcpdump). Disabling OCSP certificate checks fixes the problem.
I haven't encountered the issue under Ubuntu 12.04, maybe newer Firefoxes have some timeouts built in, or the certificate database works faster on my Ubuntu PC (the Debian system uses NFS which may slow down the sqlite database a lot.)
This is like single point of failure designed into a protocol. Unbelievable.
Doesn't necessarily help mobile, due to the blockchain's size... but perhaps there's workarounds for that.
It's really surprising for Lynx, you would think THE nerd browser would be a bit better security wise.
So much for downloading install scripts over ssl...
God I fucking hate that.
It would make it more difficult to connect to sites that use alternative CAs/self-signed certs, though..
Lots of exclamation points, all caps, and colored text, but not a lot of substance.
Chrome disabled cert revocation checks because they are easily bypassed: a MITM attacker can just block access to the CA's servers and the revocation check fails open. They instead opted for a more reliable method of pushing high profile revocations to the browser with software updates. These decisions are documented here:
https://www.imperialviolet.org/2012/02/05/crlsets.html
Notice how GRC doesn't give any actual details about how revocation checks are performed and the various advantages and disadvantages of doing them. In typical Gibson style, he is hyperbolic and cites no prior discussion. But of course these tactics do what they are designed to do: generate hysteria to get maximum page views.
So I guess my question is, what do you guys think of the show and are there any alternatives you would recommend?
Firstly the cert revocation check does work.
You are assuming an arbitrarily advanced adversary who is assumed to pull both an MITM and also attempt to block access to the CA's servers. When in reality that may very well not be the case. Just because someone is doing an MITM does not mean that they will also block access to the CA's servers.
Secondly the MITM can happen at different levels. If the server that is sending you the response is being MITM'd but you are not, then you can safely access CA's servers and check for revocation. The MITM does not necessarily affect the client in a manner as to guarantee the failure to access the CA's servers.
And finally these personal attacks and Steve Gibson bashing really gets old.
Perhaps he made some mistakes or took controversial positions like ... when? 10 years ago? and people wont let it go.
The exclamation points and all caps and colored text and the ugly web pages is just his utilitarian and old-school style.
I listen to his weekly Security Now podcast and without failure he is well-prepared, thorough, accurate and correct. Even when he makes a small mistake next week he comes along, specifies the exact mistake and apologises and corrects it.
Instead every time he is mentioned someone comes along and says "ew hurr durr 10 years ago he said something about raw sockets in XP".
My point is, no one is perfect, and he certainly has not done anything to deserve these personal bashings and attacks from the community, if anything he is a long-time contributor, has put many tools available online and is now developing the SQRL login systems in the public ... so ... give him a break.
IMO, an adversary that can extract a cert using Heartbleed and set up a MITM should also be advanced enough to block some IP addresses.
I'm confused by the rest of your comments about Gibson. All I said about him was that he continues to generate hysteria without providing details or citing prior discussion. The only things I'm accusing him of are things he is still doing today.
> Perhaps he made some mistakes or took controversial positions like ... when? 10 years ago? and people wont let it go.
According to archive.org [1] the password haystack page [2] is from June 2011. He hasn't changed his "controversial" opinion on that matter yet.
[1] http://web.archive.org/web/*/https://www.grc.com/haystack.ht...
[2] https://www.grc.com/haystack.htm
http://s27.postimg.org/6cub79gbn/Screen_Shot_2014_04_13_at_1...
or through:
openssl s_client -connect revoked.grc.com:443
I mean from an end user perspective - irrespective of google's stance on revoked certs - it's very unexpected that the browser info about the cert is that it is revoked but the padlock is green
---
oh okay, as some of the other comments points out, this puts it into some perspective:
https://www.imperialviolet.org/2012/02/05/crlsets.html
---
In Safari it won't let me get to the page w/o dire warnings.
You don't care that if the CA goes down then the entire encrypted web stops working?
Think.
Opera 12.16 Build 1860