Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Mozilla to Introduce New Certificate Revocation Feature in Firefox 37

Mozilla wants to improve the process of revoking intermediate certificates and it plans on doing so with a new feature that will be introduced in Firefox 37.

The new mechanism is called OneCRL and it relies on a centralized list of revoked certificates that is pushed to the Web browser.

Mozilla wants to improve the process of revoking intermediate certificates and it plans on doing so with a new feature that will be introduced in Firefox 37.

The new mechanism is called OneCRL and it relies on a centralized list of revoked certificates that is pushed to the Web browser.

Currently, Firefox leverages a system called OCSP (online certificate status protocol), which is used by the browser to check the status of a certificate. However, using OCSP for certificate revocation can be problematic, as Google security engineer Adam Langley highlighted last year.

With the current system, when a certificate needs to be revoked, Mozilla is forced to release a Firefox update, and users need to install the updated version and restart the application. The process is not only slow, but also costly, Mozilla security engineer Mark Goodwin explained in a blog post.

Mozilla’s blocklisting feature allows the company to disable plugins, add-ons, and other third-party software that could pose a risk. OneCRL extends the blocklist to include revoked certificates, which means that users will no longer have to update or restart Firefox in order to be protected.

With OneCRL, live OCSP checks are no longer needed, which speeds up the revocation process, particularly in the case of extended validation (EV) certificates, Mozilla said.

For the time being, the new feature only covers CA intermediate certificates because Mozilla wants to limit the size of the blocklist. Whenever a CA notifies Mozilla that an intermediate certificate needs to be revoked, OneCRL will be updated.

“The initial version of OneCRL that we have today is an important step. It will speed up revocation checking, especially for sites that use EV certificates. But we’re not done yet,” Goodwin said. “We’re working on scaling up OneCRL so that its benefits apply more broadly, and on automating the collection of revocation information so that it gets to browsers more quickly.”

Advertisement. Scroll to continue reading.

Firefox 37 is scheduled for release on March 31. The current version of the Web browser, Firefox 36, was released on February 24 and it fixed a total of 17 security issues.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Security awareness training firm KnowBe4 has named Bryan Palma as president and CEO effective May 5.

Threat intelligence firm Team Cymru has appointed Joe Sander as its Chief Executive Officer.

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.