Security Experts:

Connect with us

Hi, what are you looking for?



RSA Conference 2012: Digital Certificate Revocation Challenges Laid Bare

RSA Conference News

RSA Conference News

2011 was something of a watershed year for security discussions about digital certificates. Before the year was up, the world’s certificate authorities and registration authorities experienced three high-profile breaches: Comodo, DigiNotar and KPN. In each case, the difficulties surrounding the revocation of bad certificates were laid bare.

For some, this prompted an examination of solutions to the current system, which relies on communication between the Certificate Authorities (CAs) and browser vendors such as Google, Mozilla and Microsoft. In a presentation at the RSA Conference in San Francisco Tuesday, representatives from Google, Opera Software, Mozilla and security firm Trend Micro offered up their own potential solutions to the challenge.

RSA 2012 News CoverageWhat is clear is that the current system is not working, opined Google software engineer Adam Langley, and “the proof is in the pudding.”

Certificates can be revoked for a number of reasons. For example, if the owner notifies a CA the certificate needs to be revoked, or if for example a CA is found to have improperly issued a certificate. When a decision is made by the CA to revoke the certificate, it publishes the revocation in the Certificate Revocation List (CRL). However, the time it takes to get this information to the browser vendors who need it has some in the industry considering other approaches.

Among them, noted Langley, is online certificate status protocol (OCSP) stapling. Internet Explorer added support for this in version 7 of Windows Vista, as well as all versions of Mozilla Firefox. It is also supported by versions 8.0 and higher on Opera, Apple Safari on Mac OS X and Google Chrome. However, the approach has its downside. OCSP stapling supports only one OCSP response at a time, which does not cut it for sites that use multiple certificates for a single page.

Other approaches have pros and cons as well, the panelists said.

Google recently announced plans to stop querying CRLs and databases relying on OCSP. Instead, Chome will leverage its automatic update mechanism to keep a current list of certificates that have been revoked, which would enable the list to take effect without the user having to restart the browser.

Anyone taking a look at their browser’s latest certificate revocation list during the past year can see it has gotten bigger, noted Ed Skoudis, chief technology officer at Counter Hack Challenges, in a separate presentation Tuesday.

“This is a problem,” he said. “You can alternatively if you are bad guy trick the certificate authority, or registration authority into giving you a certificate. The whole goal of this is for the attacker to avoid the browser pop-up message saying, ‘warning this is an un-trusted SSL connection’.”

Written By

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet