Security Experts:

Mozilla to Introduce New Certificate Revocation Feature in Firefox 37

Mozilla wants to improve the process of revoking intermediate certificates and it plans on doing so with a new feature that will be introduced in Firefox 37.

The new mechanism is called OneCRL and it relies on a centralized list of revoked certificates that is pushed to the Web browser.

Currently, Firefox leverages a system called OCSP (online certificate status protocol), which is used by the browser to check the status of a certificate. However, using OCSP for certificate revocation can be problematic, as Google security engineer Adam Langley highlighted last year.

With the current system, when a certificate needs to be revoked, Mozilla is forced to release a Firefox update, and users need to install the updated version and restart the application. The process is not only slow, but also costly, Mozilla security engineer Mark Goodwin explained in a blog post.

Mozilla’s blocklisting feature allows the company to disable plugins, add-ons, and other third-party software that could pose a risk. OneCRL extends the blocklist to include revoked certificates, which means that users will no longer have to update or restart Firefox in order to be protected.

With OneCRL, live OCSP checks are no longer needed, which speeds up the revocation process, particularly in the case of extended validation (EV) certificates, Mozilla said.

For the time being, the new feature only covers CA intermediate certificates because Mozilla wants to limit the size of the blocklist. Whenever a CA notifies Mozilla that an intermediate certificate needs to be revoked, OneCRL will be updated.

“The initial version of OneCRL that we have today is an important step. It will speed up revocation checking, especially for sites that use EV certificates. But we’re not done yet,” Goodwin said. “We’re working on scaling up OneCRL so that its benefits apply more broadly, and on automating the collection of revocation information so that it gets to browsers more quickly.”

Firefox 37 is scheduled for release on March 31. The current version of the Web browser, Firefox 36, was released on February 24 and it fixed a total of 17 security issues.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.