← Back to context

Comment by jiggawatts

4 years ago

This used to be true, but neither Chrome nor Firefox actually check CRLs or OCSP that much. They'll accept OCSP-stapling, but that's about it.

This is a very serious concern for Enterprise PKI systems: revoking certificates is now virtually impossible. CRLs and OCSP do practically nothing.

Google especially has unilaterally decided that Enterprise PKI systems don't matter. They have established a new "standard" called Certificate Transparency, which they use to make CRLSets that they publish as Chrome updates.

Which is fine I suppose for public CAs, but utterly useless on internal-use private CAs on local networks, especially those with lots of BYOD or guest/partner systems. Think universities or hospitals.

Google has become a juggernaut with more control over computing in general (not even just the Internet!) than all of the world governments put together.

They're getting truly terrifying.

It's a shame you're being downvoted as you're right, CRLs and OCSP do practically nothing _for webbrowsers_

OSCP is flawed because you can block the connection, meaning

1) Your browswer has to accept it (thus an attacker feeding you the bad certificate can bypass OSCP)

2) Your browswer blocks completely (thus DOSsing all connections), and people use another browser

CRLs don't scale - you can't keep a cached list of every revoked cert globally.

However I pull down the CRLs for my internal CA every few hours onto my internal https sites, which rely on a client presenting a valid certificate to connect. If that doesn't get pulled down, I get a warning about it in the monitoring system. When a client with a client certificate connects, I check against my local cache of the CRL, and if it's been revoked, it can't connect.

What problem do you have on your private CA internal network that CRLs fix but browsers don't? Are you that concerned that your server certificates get compromised? You should be working to massively reduce the time those certificate are valid.

Firefox has historically checked OCSP by default everywhere but for Firefox mobile, where it was only checked for EV certs.

With the introduction of CRLite, the default is disabled, but those using Firefox with internal-use private CAs on local networks can renable via preferences, which can also be controlled by enterprise policies and tooling.

This is all true; OCSP-stapling is the thing these days.

But these browsers won't trust a cert if it can't be found a Certificate Transparency log. Yes, a cert should be in at least two of them but if there's a networking problem or infrastructure issue, you're SOL.