Logo
Sign InSign Up

What is Certificate Revocation?

Last modified on Wednesday, May 8, 2024

5 minute read

Root Certificate Authorities (Root CAs) and their Corresponding Intermediate Certificate Authorities (Intermediate CAs)

What is Certificate Revocation - Why is it Unresolved in 2024?

What is an SSL/TLS Certificate?

An SSL/TLS (Secure Socket Layer/Transport Layer Security) certificate is a digital certificate that facilitates the secure transfer of data over the internet. It serves as a cryptographic key, enabling the encryption of data exchanged between a user's web browser and a website's server. This ensures that sensitive information, such as login credentials or financial transactions, remains confidential and protected from potential threats. Although historically running on the now deprecated SSL protocol, SSL/TLS certificates now use TLS. "SSL" is still used as a better understood marketing term, and people search for SSL ~20x as frequently as TLS.

Certificate Revocation

Certificate revocation is a crucial aspect of the SSL/TLS infrastructure that addresses the need to invalidate a previously issued certificate before its expiration date (13 months from issuance). This process becomes necessary in situations where a certificate's private key is compromised, the certificate was mistakenly issued, or the certificate holder's status changes (e.g., employment termination). To maintain the integrity of the security system, Certificate Authorities (CAs) must promptly revoke compromised or outdated certificates, preventing their continued use in establishing secure connections. The process of certificate revocation is an unresolved problem, with every browser and operating system combination handling certificate revocation differently, using a different mix of protocols, with no universal agreement on the best way to handle certificate revocation. In fact, it is even possible to have a certificate revoked on the same browser version work when run on a different OS. Note: Due to the rapid and experimental nature of new certificate revocation processes, conflicting information from various sources may arise. This page provides a general overview of modern browser revocation techniques. Always check for the latest updates for each browser and browser/OS combination for specific information on a particular version. Be extra vigilent for generalized statements regarding the use of different revocation methods.

What is a CRL?

A Certificate Revocation List (CRL) is a regularly updated record containing digital certificates that have been revoked before their expiration dates. Issued by a certificate authority (CA), the CRL enables entities to check the validity of certificates in a public key infrastructure (PKI). This helps prevent the use of compromised or invalid certificates, enhancing the overall security of online transactions and communication by allowing systems to reject certificates that are no longer trustworthy or which have been compromised. CRLs are still in use by certificate authorities, but often not directly by browsers, as you'll see later on in this article, Chromium (Chrome, Brave, Edge), and Mozilla (Firefox), use the CRL lists to create their own CRL mechanisms. You can check CRL lists linked under most certificates in your browser. Chromium - CRL is not used by Chromium directly, but may be performed by the hosting OS. Certificate Revocation List Exampe

What is the Online Certificate Status Protocol (OCSP)?

The Online Certificate Status Protocol (OCSP) was originally developed as an alternative to Certificate Revocation Lists (CRLs). The concept is highly similar, but instead of downloading the CRL for an entire certificate authority, the check is made against a single certificate. Below, the OCSP Responder for the certificate: Online Certificate Status Protocol Example OCSP is not used by Chromium directly, but may be performed by the OS. OCSP is used by Firefox as a fallback whenever OCSP Stapling is not used by the web server.

Chromium - Online (i.e. OCSP and CRL) checks are not, generally, performed by Chrome

Mozilla 2015 - Using OCSP for certificate revocation doesn’t serve users very well

OCSP Stapling

OCSP Stapling - Supported by a number of sites, OCSP Stapling may also be referred to a Certificate Stapling. There are reports that OCSP stapling is not (included by Chromium)[https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/], which makes sense as OCSP checks are not performed directly by Chrome itself. Note, OCSP stapling (sometimes called certificate stapling) should not be confused with certificate pinning. The latter is the act of trusting only specific certificates, I.E., allow listing certificates, so that when a certificate renews, it is not automatically trusted, which can help organizations to avoid man in the middle attacks for popular sites that their enterprise uses.

##OCSP Must Staple The adoption of OCSP Must Staple is low, largely due to low support for OCSP Stapling. There are reports that OCSP Must Staple is not fully supported by Chromium (Chrome, Edge, Brave)[https://bugs.chromium.org/p/chromium/issues/detail?id=572734]. OCSP Must Staple is supported by Firefox.

CRLSets

CRLSets are used by Chromium, to allow Chrome to recognized revocations quickly.

OneCRL

As of 2015 Mozilla (Firefox) has begun using a feature called OneCRL. For size reasons it only handles Intermediate Certificate Authorities.

CRLite

Building on the power of certificate transparency logs, Mozilla (Firefox) is working on implementing a system which Mozilla expects to become their primary mechanism of validating end-entity certificates, that is, the certificate issued directly or your domain. StellastraBlockQuote quote=Currently, no major browser fully checks for TLS/SSL certificate revocations... CRLs, OCSP, OCSP Stapling, CRLSet, and OneCRL are each either incomplete, insecure, inefficient, slow to update, not private, or some combination thereof quote_by=CRLite Researchers, Larisch, Choffnes, and Levin (2018)/>

Mozilla - CRLite is expected to [become] the primary mechanism used by Firefox to validate end-entity certificates. We expect that revocation checking will fall back to OCSP stapling or OCSP in the following situations...

How are Root Certificates Trusted?

Root certificates play a pivotal role in the trustworthiness of secure communication on the internet. These certificates are issued by trusted Certificate Authorities (CAs) and serve as the foundation of the public key infrastructure (PKI). To ensure the integrity and reliability of root certificates, they undergo rigorous audits conducted by major accounting firms. For instance, QuoVadis and GlobalSign, prominent CAs, are audited by Ernst & Young (EY), while Entrust is audited by Deloitte. These audits encompass thorough assessments of the CA's practices, procedures, and infrastructure to verify compliance with industry standards and best practices. By subjecting themselves to such audits by reputable firms, CAs demonstrate their commitment to maintaining the highest standards of security and trust in the issuance and management of digital certificates. Such comprehensive audits help to convince browsers and operating systems to ship the root certificates with their products. Egregious slips usually lead to a rapid disavowment of the organisation's certificates (be they root, or intermediate). Historic examples include Symmantec in 2017 and Certinomis in 2018.

Useful links:


Share this article

Stellastra The Cyber Security Comparison Platform

© 2024 Stellastra Ltd. All rights reserved. All names, logos, trademarks, et al, belong to their respective owners. No endorsement or partnership is necessarily implied between company and Stellastra and vice versa. Information is provided for convenience only on an as is basis. For the most up to date information, contact vendor directly. Scores including email security, SPF, and DMARC are calculated based on Stellastra's algorithms and other analyses may return different results.

LinkedInTwitter

Company

About StellastraContact usCyber Security Risk ScoreEmail Deliverability ToolTLS Cipher SuitesStellastra Discover

Stay up to date

Stellastra The Cyber Security Comparison Platform