News

11:07 AM
Connect Directly
RSS
E-Mail
50%
50%

Can SSL Certificate Checking System Be Saved?

Google says Web certificate revocation checking system is broken, joins other browser vendors at RSA to discuss solutions.

RSA CONFERENCE 2012--San Francisco--The way that browsers perform SSL certificate-revocation checking is so fundamentally flawed that some browser vendors have turned it off altogether, according to browser vendor representatives in a panel at RSA last week. Moderated by a certificate authority (CA) representative, the panel involved key players from Mozilla, Google, and Opera, who all put forward potential solutions to the problem of how to check the valid status of SSL certificates issued by CAs.

At the moment, sites depend on two methods for checking the valid status of SSL certificates online. One is through a certificate revocation list (CRL) published by the CAs, which post revoked certificates periodically on these lists. The other is through the online certificate status protocol (OCSP) responder systems CAs have in place to relay the up-to-date status of a site's certificate to a user's browser when the user visits the site.

[ Catch up on our complete RSA 2012 Security Conference coverage. ]

"So why are we here today?" said panel moderator Kirk Hall, operations director of trust services for Trend Micro. "That sounds like a perfect system, right? It should work. But it doesn't."

Hall says there are several reasons why CRLs and OCSP are not working in the real world. For one, the CRLs can be up to seven days old and "the CRL in your client at any given time will probably not reflect the most recent list of revocations from that particular root," Hall says.

At the same time, while OCSP is supposed to be a more real-time method of checking, its latency problems have doomed its prospects at the moment. Whether it is through slow responses due to slow connections, connectivity issues involving system firewalls, or scalability issues for CAs responding to OCSP queries at high-volume sites, the number of errors returned by OCSP responders for sites with valid certificates can be quite high. In the name of usability, browser vendors have all but neutered OCSP safeguards by turning off "hard-fail" when OCSP does not respond with a positive result.

Read the rest of this article on Dark Reading.

Secure sockets layer isn't perfect, but there are ways to optimize it. The new Web Encryption That Works supplement from Dark Reading shows four places to start. (Free registration required.)

Comment  | 
Print  | 
More Insights
Audio Interviews
Archived Audio Interviews
This radio show will provide listeners with guidance from Dell Storage experts, who can help you explore ways to simplify workload management while achieving a balance of price and performance.
Slideshows
White Papers
Register for Network Computing Newsletters
Current Issue
2014 State of Unified Communications
2014 State of Unified Communications
If you thought consumerization killed UC, think again: 70% of our 488 respondents have or plan to put systems in place. Of those, 34% will roll UC out to 76% or more of their user base. And there’s some good news for UCaaS providers.
Video
Twitter Feed
Cartoon