Chapter 9iv: Certificate Revocation

Question 1

Certificate Revocation

Revocation is crucial—yet often neglected in discussions

Problems?
* There are several cases when an already issued certificate must be withdrawn. Examples?
Solutions?

Answer 1

Question 2

Certificate Revocation Lists (CRLs)

A CRL is a list of certificates that are considered revoked. Explain.

Answer 2

• They are (should be) issued, updated and maintained by every CA:
• Certificates are identified by serial number
• A reason for revocation can be given
• Every CRL must be timestamped and signed
• There are further entries, like time of next update
• Technically, a browser (client) should download CRL (and update it after the given time), and lookup a host certificate every time it connects to a server

Question 3

Problems with CRLs

Explain.

• For these reasons, browsers have never activated CRLs by default

Answer 3

• Intermediate certs should be checked, too – induces load and network activity
• There is a time interval between two updates (window for attack)
• CRLs can grow large
• Response to this: Delta CRLs that contain only latest updates
• Requires server side support—very rarely used
• Downloads of CRLs can be blocked by a Man-in-the-middle

Question 4

Online Certificate Status Protocol (OCSP)

OCSP allows live revocation checks over the network. Query-Response model.

Answer 4

Question 5

Problems with OCSP

Answer 5

Question 6

Online Certificate Status Protocol (OCSP): OCSP Stapling

Addresses several problems of OCSP

Answer 6

• The idea is thus that servers request fresh OCSP ‘proof’ from CA: ‘this certificate is still considered valid’
• This can be done at regular intervals
• The ‘proof’ is ‘stapled’ to the certificate that the server sends in the SSL/TLS handshake
• Although around for a long time, the idea is only now gaining traction
• Reduces load on CA, reduces overall web page loading time, solves privacy problem

Question 7

New Approaches to Revocation

Answer 7

Question 8

Revocation: Lessons Learned

Revocation is crucial—but no silver bullet so far
* It is probably safe to say that …
* OCSP checks are expensive, too (latency, load)—and …
* OCSP stapling is an improvement
* Revocation is an unsolved problem

Answer 8

CRLs never worked and are of very limited use
not sufficient against an attacker who drops traffic
to the CA

Question 9

Proposals to enhance X.509 DigiNotar vs. Iran?

Answer 9

• CA can issue certificates for any Web server
• If a CA is rogue or got compromized, malicious certificates can be issued
• This certificate enables an attacker to act as Man in the Middle (“TLS/SSL proxy”)!

Question 10

Certificate Pinning

Aim: defend against malicious certs

Answer 10

• Idea: browser “pins” the certificate a Web server presented on first contact
• Can be achieved by storing the public key or hash of the public key
• If the server later presents a different certificate, the browser can warn the user or stop the connection attempt

Question 11

Certificate Pinning

This type of user-driven pinning assumes a secure first connection

Answer 11

• Inherent bootstrapping problem: who can guarantee the cert’s authentifity on first use?
• Browser might pin the malicious certificate…!
• Thus also known as trust-on-first-use (“TOFU”)

Question 12

Certificate Pinning: Further Pinning Variants

Static vs Dynamic pinning

Answer 12

Question 13

Certificate Pinning Issues to solve

Answer 13

TOFU, Lifecycle, Scalability

• Today, pinning is mostly replaced by Certificate Transparency (CT)
• CT are public logs of certificates issued by CA
• Browsers (and other entities) can query the logs to find malicious certificates