Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

RSA Conference 2012: Digital Certificate Revocation Challenges Laid Bare

RSA Conference News

RSA Conference News

2011 was something of a watershed year for security discussions about digital certificates. Before the year was up, the world’s certificate authorities and registration authorities experienced three high-profile breaches: Comodo, DigiNotar and KPN. In each case, the difficulties surrounding the revocation of bad certificates were laid bare.

For some, this prompted an examination of solutions to the current system, which relies on communication between the Certificate Authorities (CAs) and browser vendors such as Google, Mozilla and Microsoft. In a presentation at the RSA Conference in San Francisco Tuesday, representatives from Google, Opera Software, Mozilla and security firm Trend Micro offered up their own potential solutions to the challenge.

RSA 2012 News CoverageWhat is clear is that the current system is not working, opined Google software engineer Adam Langley, and “the proof is in the pudding.”

Certificates can be revoked for a number of reasons. For example, if the owner notifies a CA the certificate needs to be revoked, or if for example a CA is found to have improperly issued a certificate. When a decision is made by the CA to revoke the certificate, it publishes the revocation in the Certificate Revocation List (CRL). However, the time it takes to get this information to the browser vendors who need it has some in the industry considering other approaches.

Among them, noted Langley, is online certificate status protocol (OCSP) stapling. Internet Explorer added support for this in version 7 of Windows Vista, as well as all versions of Mozilla Firefox. It is also supported by versions 8.0 and higher on Opera, Apple Safari on Mac OS X and Google Chrome. However, the approach has its downside. OCSP stapling supports only one OCSP response at a time, which does not cut it for sites that use multiple certificates for a single page.

Other approaches have pros and cons as well, the panelists said.

Google recently announced plans to stop querying CRLs and databases relying on OCSP. Instead, Chome will leverage its automatic update mechanism to keep a current list of certificates that have been revoked, which would enable the list to take effect without the user having to restart the browser.

Anyone taking a look at their browser’s latest certificate revocation list during the past year can see it has gotten bigger, noted Ed Skoudis, chief technology officer at Counter Hack Challenges, in a separate presentation Tuesday.

“This is a problem,” he said. “You can alternatively if you are bad guy trick the certificate authority, or registration authority into giving you a certificate. The whole goal of this is for the attacker to avoid the browser pop-up message saying, ‘warning this is an un-trusted SSL connection’.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...