SSL Certificate

Sorry State of SSL Certificate Revocation System

July 24, 2017 | By Kimberly Reynolds

SSL Certificates offer web security for various websites via SSL encryption. No doubt about that. But this doesn’t mean websites containing SSL Certificates that enjoy the security and privacy offered by HTTPS technology are 100% hack proof. Things can go wrong for them as well. And the biggest worry at the moment is that, when they do go wrong, there is no proper SSL Certificate Revocation System in place to handle things efficiently.

EV SSL Certificate

Unfortunately, SSL Certified websites can be broken into and the Heartbleed Bug remains a crude reminder of this fact. When your website containing an SSL Certificate is broken into, it implies that your private key has been successfully stolen by a malicious hacker “who is not you but can now impersonate you in a legitimate manner” and swindle the information being transacted between you and other parties. Vulnerabilities in SSL Certificate generation process and sometimes even negligence can lead to exposure of your private keys.

Simply put, your private key can be snatched away from you, and when this happens, you need to stop the attacker (or hacker) from abusing or misusing your certificate. In other words, you need to revoke your certificate from being abused or misused by malicious attackers or hackers.

The Fallback Mechanism When SSL Certificates are Compromised

The moment you realize you’ve been compromised, you should contact your CA – the Certificate Authority who provided you the SSL Certificate – and ask them to revoke your certificate. The CA will require you to prove your ownership of the website before going ahead and revoking the certificate it provided. Next step is to convey the information that your certificate has been revoked to your clients. And the sooner it is done, the better. But unfortunately, passing on this information takes “some valuable time” during which the attackers can continue “to abuse or misuse your certificate”.

The information that your SSL Certificate has been revoked can be made available in two ways through Certificate Revocation Lists (and) Online Certificate Status Protocol (OCSP).

1. Certificate Revocation Lists: Shortly known as CRLs, this is a document containing the lists of all SSL certificates marked as revoked by a Certificate Authority. Clients (web browsers) usually contact the CRL servers and download a copy of this document which they can refer back to every time they try to establish a connection with web servers to check whether that particular web server they are trying to establish a connection with has been blacklisted or not.

The problem with CRLs is that CA(s) usually contain a humongous list of revoked certificates, going through which can be very time-consuming. And moreover, if the client doesn’t have a fresh copy of the CRL, it has to download one while connecting to your site – making your site appear much slower than it actually is. Because of these reasons, CRLs are not the most sought-after fallback mechanism when SSL certificates are compromised.

2. Online Certificate Status Protocol (OCSP): With OCSP, there no need for clients (web browsers) to download CRL lists to check against the online connections they are trying to establish. Using OCSP, clients can directly ask the CA for the ‘status of a single, particular certificate’. This means all the CA has to do is respond with a good or revoked answer, which is considerably smaller than a CRL list and therefore has a significant performance advantage over the CRL approach.

But, even with OCSP, there is a catch. And that is your ‘privacy’. With OCSP, basically, your client is leaking your browsing history to some third party and this could, in turn, prove very dangerous for you. Therefore even OCSP, with the advantages they bring in, is not considered the best backup in case your SSL Certificates are compromised.

Conclusion:

The unavoidable truth is that the SSL Certificate Revocation system is broken and needs to be fixed badly. Meanwhile, the best you can do to protect yourself from SSL Certificate compromise is to reduce the validity period of the SSL Certificates you obtain. For example, instead of three years, go for one year or even less. Because with reduced validity periods, even if your certificate is compromised, at least attackers will have less time to abuse your certificate before it expires. And with regards to the current SSL Revocation System, we need better tools for handling this process efficiently.

Get SSL Certificate

Posted in SSL Certificate

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory