Mozilla wants to improve the process of revoking intermediate certificates and it plans on doing so with a new feature that will be introduced in Firefox 37.
The new mechanism is called OneCRL and it relies on a centralized list of revoked certificates that is pushed to the Web browser.
Currently, Firefox leverages a system called OCSP (online certificate status protocol), which is used by the browser to check the status of a certificate. However, using OCSP for certificate revocation can be problematic, as Google security engineer Adam Langley highlighted last year.
With the current system, when a certificate needs to be revoked, Mozilla is forced to release a Firefox update, and users need to install the updated version and restart the application. The process is not only slow, but also costly, Mozilla security engineer Mark Goodwin explained in a blog post.
Mozilla’s blocklisting feature allows the company to disable plugins, add-ons, and other third-party software that could pose a risk. OneCRL extends the blocklist to include revoked certificates, which means that users will no longer have to update or restart Firefox in order to be protected.
With OneCRL, live OCSP checks are no longer needed, which speeds up the revocation process, particularly in the case of extended validation (EV) certificates, Mozilla said.
For the time being, the new feature only covers CA intermediate certificates because Mozilla wants to limit the size of the blocklist. Whenever a CA notifies Mozilla that an intermediate certificate needs to be revoked, OneCRL will be updated.
“The initial version of OneCRL that we have today is an important step. It will speed up revocation checking, especially for sites that use EV certificates. But we’re not done yet,” Goodwin said. “We’re working on scaling up OneCRL so that its benefits apply more broadly, and on automating the collection of revocation information so that it gets to browsers more quickly.”
Firefox 37 is scheduled for release on March 31. The current version of the Web browser, Firefox 36, was released on February 24 and it fixed a total of 17 security issues.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
