PHP, Python and Google Go Fail To Detect Revoked TLS Certificates

An anonymous reader writes: Four years after the release of a groundbreaking study on the state of SSL/TLS certificates in non-browser applications (APIs [to be exact]), some programming languages fail to provide developers with the appropriate tools to validate certificates. Using three simple test scripts connected to a list of known vulnerable HTTPS servers, researchers logged their results to see which programming languages detected any problems. According to the results, all tested programming languages (PHP, Python, Go), in various configurations, failed to detect HTTPS connections that used revoked SSL/TLS certificates. This is a problem for HTTPS-protected APIs since users aren't visually warned, like in browsers, that they're on an insecure connection. "PHP, Python, and Google Go perform no revocation checks by default, neither does the cURL library. If the certificate was compromised and revoked by the owner, you will never know about it," noted Sucuri's Peter Kankowski.

Cert revokation is terminally broken. Wontfix.

This is not something that should be held against the programming languages or their standard libraries. Cert revocation has never worked and will never work. All reasonable developers have given up on it. Trying to make it work is an exercise in futility and can only do more harm than good. That's why Let's Encrypt only issues very short lived certificates and plans to reduce the lifetime of certificates even more.

Re:the tools should make this easier

The only problem with that is many of the CRL servers respond very slowly or not at all. For our customers, especially the ones using a GoDaddy cert, we had to disable CRL and OCSP checks in Java to make connecting to them reliable. For our PHP services, not checking those slow and unreliable lists made our services much faster and more reliable. Until companies like GoDaddy get their act together, I'm glad PHP doesn't check.