Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL Cert Revocation Lists?

Posted by ryuzaki0 on from the respect-mah-authoritah dept.

DA-MAN asks: "Browsers ship with a ton of different certificate authorities that provide 'trust' for secure sites that we visit. With all of these certificate authorities comes a certificate revocation list, which is to flag bad certs. Firefox, IE and Safari do not have an automated way to pull updated lists from all of the different certificate authorities, so one must download each CRL manually and import them into the browser. It occurred to me the other day that the only time I've ever seen this feature in use was when Microsoft inserted the CRL for a certificate that was mistakenly issued by Verisign with the "Microsoft Corporation" name. All that said, I was just wondering if anyone cares about this? Do you actually import updated CRL's into your browser? Why can't the CRL be signed by the Cert Authority and automatically imported?" What other browsers support automatic CRL updates?

2 of 59 comments (clear)

  1. Firefox supports OCSP by mysidia · · Score: 5, Informative

    Online Certificate Status Protocol.

    Tools > Options > Advanced > Security > Verification

    Verification that a certificate has not been revoked is not done in practice; however.

    • Extra time is taken for the request; or substantial disk space memory is used to download lists of revoked certificates -- slows down access to secure sites.
    • CRL lists can be out of date, if you importe an old list; a certificate you think invalid, may no longer be invalid -- CRLs allow a certificate to be blocked either temporarily (hold) or permanently (Revoke).
    • Online updates as to certificate status is something that would use a phenomenal amount of bandwidth, for any large CA; if all clients check status before allowing -- it would cut into CA profit margins if every web surfer insisted on downloading CRLs regularly for trusted CAs or before accepting a certificate. This would tend to discourage CAs from using CRLs, or justify even more extortionate rates to buy essential web server certificates.
  2. Re:Self-signed Certs by Straker+Skunk · · Score: 4, Informative

    Don't use self-signed certificates. Create a private CA, generate a real root certificate, and then distribute that to all the clients that need it.

    That way, you don't get a warning dialog, and you get real protection from MitM attacks.

    Also: If you find the openssl(1) tool annoying, try certtool(1) from GnuTLS. I've found it a lot easier to work with.

    --
    iSKUNK!