· 5 min read

What is Certificate Revocation?

What is Certificate Revocation? - What different types of certificate revocation are there?

What is Certificate Revocation? - What different types of certificate revocation are there?

What is Certificate Revocation - Why is it Unresolved in 2024?

What is an SSL/TLS Certificate?

An SSL/TLS (Secure Socket Layer/Transport Layer Security) certificate is a digital certificate that facilitates the secure transfer of data over the internet. It serves as a cryptographic key, enabling the encryption of data exchanged between a user’s web browser and a website’s server. This ensures that sensitive information, such as login credentials or financial transactions, remains confidential and protected from potential threats. Although historically running on the now deprecated SSL protocol, SSL/TLS certificates now use TLS. “SSL” is still used as a better understood marketing term, and people search for SSL ~20x as frequently as TLS.

Certificate Revocation

Certificate revocation is a crucial aspect of the SSL/TLS infrastructure that addresses the need to invalidate a previously issued certificate before its expiration date (13 months from issuance). This process becomes necessary in situations where a certificate’s private key is compromised, the certificate was mistakenly issued, or the certificate holder’s status changes (e.g., employment termination). To maintain the integrity of the security system, Certificate Authorities (CAs) must promptly revoke compromised or outdated certificates, preventing their continued use in establishing secure connections. The process of certificate revocation is an unresolved problem, with every browser and operating system combination handling certificate revocation differently, using a different mix of protocols, with no universal agreement on the best way to handle certificate revocation. In fact, it is even possible to have a certificate revoked on the same browser version work when run on a different OS. Note: Due to the rapid and experimental nature of new certificate revocation processes, conflicting information from various sources may arise. This page provides a general overview of modern browser revocation techniques. Always check for the latest updates for each browser and browser/OS combination for specific information on a particular version. Be extra vigilent for generalized statements regarding the use of different revocation methods.

What is a CRL?

A Certificate Revocation List (CRL) is a regularly updated record containing digital certificates that have been revoked before their expiration dates. Issued by a certificate authority (CA), the CRL enables entities to check the validity of certificates in a public key infrastructure (PKI). This helps prevent the use of compromised or invalid certificates, enhancing the overall security of online transactions and communication by allowing systems to reject certificates that are no longer trustworthy or which have been compromised. CRLs are still in use by certificate authorities, but often not directly by browsers, as you’ll see later on in this article, Chromium (Chrome, Brave, Edge), and Mozilla (Firefox), use the CRL lists to create their own CRL mechanisms. You can check CRL lists linked under most certificates in your browser. Chromium - CRL is not used by Chromium directly, but may be performed by the hosting OS. Certificate Revocation List Exampe

What is the Online Certificate Status Protocol (OCSP)?

The Online Certificate Status Protocol (OCSP) was originally developed as an alternative to Certificate Revocation Lists (CRLs). The concept is highly similar, but instead of downloading the CRL for an entire certificate authority, the check is made against a single certificate. Below, the OCSP Responder for the certificate: Online Certificate Status Protocol Example OCSP is not used by Chromium directly, but may be performed by the OS. OCSP is used by Firefox as a fallback whenever OCSP Stapling is (not used by the web server)[https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox].

Online (i.e. OCSP and CRL) checks are not, generally, performed by Chrome

Chromium

Using OCSP for certificate revocation doesn't serve users very well

Mozilla 2015

OCSP Stapling

OCSP Stapling - Supported by a number of sites, OCSP Stapling may also be referred to a Certificate Stapling. There are reports that OCSP stapling is not (included by Chromium)[https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/], which makes sense as OCSP checks are not performed directly by Chrome itself. Note, OCSP stapling (sometimes called certificate stapling) should not be confused with certificate pinning. The latter is the act of trusting only specific certificates, I.E., allow listing certificates, so that when a certificate renews, it is not automatically trusted, which can help organizations to avoid man in the middle attacks for popular sites that their enterprise uses.

OCSP Must Staple

The adoption of OCSP Must Staple is low, largely due to low support for OCSP Stapling. There are reports that OCSP Must Staple is not fully supported by Chromium Chrome, Edge, Brave. OCSP Must Staple is supported by Firefox.

CRLSets

CRLSets are used by Chromium, to allow Chrome to recognized revocations quickly.

OneCRL

As of 2015 Mozilla (Firefox) has begun using a feature called OneCRL. For size reasons it only handles Intermediate Certificate Authorities.

CRLite

Building on the power of certificate transparency logs, Mozilla (Firefox) is working on implementing a system which Mozilla expects to become their primary mechanism of validating end-entity certificates, that is, the certificate issued directly or your domain. StellastraBlockQuote quote=Currently, no major browser fully checks for TLS/SSL certificate revocations... CRLs, OCSP, OCSP Stapling, CRLSet, and OneCRL are each either incomplete, insecure, inefficient, slow to update, not private, or some combination thereof quote_by=CRLite Researchers, Larisch, Choffnes, and Levin (2018)/>

CRLite is expected to [become] the primary mechanism used by Firefox to validate end-entity certificates. We expect that revocation checking will fall back to OCSP stapling or OCSP in the following situations...

Mozilla

How are Root Certificates Trusted?

Root certificates play a pivotal role in the trustworthiness of secure communication on the internet. These certificates are issued by trusted Certificate Authorities (CAs) and serve as the foundation of the public key infrastructure (PKI). To ensure the integrity and reliability of root certificates, they undergo rigorous audits conducted by major accounting firms. For instance, QuoVadis and GlobalSign, prominent CAs, are audited by Ernst & Young (EY), while Entrust is audited by Deloitte. These audits encompass thorough assessments of the CA’s practices, procedures, and infrastructure to verify compliance with industry standards and best practices. By subjecting themselves to such audits by reputable firms, CAs demonstrate their commitment to maintaining the highest standards of security and trust in the issuance and management of digital certificates. Such comprehensive audits help to convince browsers and operating systems to ship the root certificates with their products. Egregious slips usually lead to a rapid disavowment of the organisation’s certificates (be they root, or intermediate). Historic examples include Symmantec in 2017 and Certinomis in 2018.

    Share:
    Back to Blog

    Related Posts

    View All Posts »
    Anti Spam Laws Around the World

    Anti Spam Laws Around the World

    Spam, unsolicited electronic communication, has become a global issue that affects individuals, businesses, and governments alike. Various countries have developed anti-spam laws to protect consumers from unwanted emails, messages, and other forms of digital marketing. These laws vary by region, but they generally focus on requiring consent from recipients, providing clear opt-out mechanisms, and penalizing violators with hefty fines. Below is an overview of key anti-spam regulations from the United States, Canada, New Zealand, Australia, Ireland, and the United Kingdom.

    What is Risk Reduction in Cyber Security - 50 Ways to Reduce Risk

    What is Risk Reduction in Cyber Security - 50 Ways to Reduce Risk

    Explore the essentials of risk reduction in cyber security and learn how to proactively protect your organization. Uncover strategies for minimizing vulnerabilities, strengthening defenses, and implementing best practices to lower potential cyber threats and ensure robust digital security.

    What is Risk Transfer in Cyber Security - 40 Ways to Transfer Risk

    What is Risk Transfer in Cyber Security - 40 Ways to Transfer Risk

    Discover how risk transfer in cyber security can safeguard your organization. Learn about strategies to mitigate potential cyber threats by shifting liability, utilizing insurance, and partnering with third-party experts. Explore effective ways to protect your digital assets.