Security Experts:

Connect with us

Hi, what are you looking for?



RSA Conference 2012: Digital Certificate Revocation Challenges Laid Bare

RSA Conference News

RSA Conference News

2011 was something of a watershed year for security discussions about digital certificates. Before the year was up, the world’s certificate authorities and registration authorities experienced three high-profile breaches: Comodo, DigiNotar and KPN. In each case, the difficulties surrounding the revocation of bad certificates were laid bare.

For some, this prompted an examination of solutions to the current system, which relies on communication between the Certificate Authorities (CAs) and browser vendors such as Google, Mozilla and Microsoft. In a presentation at the RSA Conference in San Francisco Tuesday, representatives from Google, Opera Software, Mozilla and security firm Trend Micro offered up their own potential solutions to the challenge.

RSA 2012 News CoverageWhat is clear is that the current system is not working, opined Google software engineer Adam Langley, and “the proof is in the pudding.”

Certificates can be revoked for a number of reasons. For example, if the owner notifies a CA the certificate needs to be revoked, or if for example a CA is found to have improperly issued a certificate. When a decision is made by the CA to revoke the certificate, it publishes the revocation in the Certificate Revocation List (CRL). However, the time it takes to get this information to the browser vendors who need it has some in the industry considering other approaches.

Among them, noted Langley, is online certificate status protocol (OCSP) stapling. Internet Explorer added support for this in version 7 of Windows Vista, as well as all versions of Mozilla Firefox. It is also supported by versions 8.0 and higher on Opera, Apple Safari on Mac OS X and Google Chrome. However, the approach has its downside. OCSP stapling supports only one OCSP response at a time, which does not cut it for sites that use multiple certificates for a single page.

Other approaches have pros and cons as well, the panelists said.

Google recently announced plans to stop querying CRLs and databases relying on OCSP. Instead, Chome will leverage its automatic update mechanism to keep a current list of certificates that have been revoked, which would enable the list to take effect without the user having to restart the browser.

Anyone taking a look at their browser’s latest certificate revocation list during the past year can see it has gotten bigger, noted Ed Skoudis, chief technology officer at Counter Hack Challenges, in a separate presentation Tuesday.

“This is a problem,” he said. “You can alternatively if you are bad guy trick the certificate authority, or registration authority into giving you a certificate. The whole goal of this is for the attacker to avoid the browser pop-up message saying, ‘warning this is an un-trusted SSL connection’.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...