Papers, Please... - X.509 Certificate Revocation in Practice

Manuel Koschuch, Ronald Wagner

Abstract

X.509v3 certificates are the current standard of verifiable associating an entity with a public key, and are widely used in different networking applications: from HTTPS in browsers, SSH connections, to e-mail, PDF and code signing. This wide usage also necessitates the existence of a robust, reliable way to detect and deal with compromised or otherwise invalid certificates. Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) are the two mechanisms currently deployed to handle revoked certificates. In this position paper we present preliminary results of our research into the practical use of these protocols, using an existing data-set to show that almost 85% of certificates currently in use contain no revocation information, and compare different browsers under different operating systems as to their dealing with unreachable OCSP servers. We find that browser behaviour in this case ranges from opening the site without any warnings whatsoever to totally blocking it, indicating no clear default reaction and no reliable behaviour.

References

  1. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and Polk, W. (2008). RFC5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Technical report.
  2. Durumeric, Z., Kasten, J., Bailey, M., and Halderman, J. A. (2013a). Analysis of the HTTPS certificate ecosystem. In Proceedings of the 13th Internet Measurement Conference.
  3. Durumeric, Z., Wustrow, E., and Halderman, J. A. (2013b). ZMap: Fast Internet-wide scanning and its security applications. In Proceedings of the 22nd USENIX Security Symposium.
  4. Eastlake, D. (2011). RFC6066 - Transport Layer Security (TLS) Extensions: Extension Definitions. Technical report.
  5. Housley, R., Ford, W., Polk, W., and Solo, D. (1999). RFC2459 - Internet X.509 Public Key Infrastructure Certificate and CRL Profile. Technical report.
  6. Langley, A. (2014). No, don't enable revocation checking. https://www.imperialviolet.org/2014/ 04/19/revchecking.html.
  7. Marlinspike, M. (2009). Defeating OCSP with the Character 78378. http://www.thoughtcrime.org/papers/ ocsp-attack.pdf.
  8. Meyer, C. and Schwenk, J. (2013). SoK: Lessons Learned from SSL/TLS Attacks. In Kim, Y., Lee, H., and Perrig, A., editors, Information Security Applications - 14th International Workshop, WISA 2013, Jeju Island, Korea, August 19-21, 2013, Revised Selected Papers, volume 8267 of Lecture Notes in Computer Science, pages 189-209. Springer.
  9. Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., and Adams, C. (2013). RFC6960 - X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. Technical report.
  10. Yee, P. (2013). RFC6818 - Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Technical report.
Download


Paper Citation


in Harvard Style

Koschuch M. and Wagner R. (2014). Papers, Please... - X.509 Certificate Revocation in Practice . In Proceedings of the 5th International Conference on Data Communication Networking - Volume 1: DCNET, (ICETE 2014) ISBN 978-989-758-042-0, pages 36-40. DOI: 10.5220/0005113800360040


in Bibtex Style

@conference{dcnet14,
author={Manuel Koschuch and Ronald Wagner},
title={Papers, Please... - X.509 Certificate Revocation in Practice},
booktitle={Proceedings of the 5th International Conference on Data Communication Networking - Volume 1: DCNET, (ICETE 2014)},
year={2014},
pages={36-40},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005113800360040},
isbn={978-989-758-042-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 5th International Conference on Data Communication Networking - Volume 1: DCNET, (ICETE 2014)
TI - Papers, Please... - X.509 Certificate Revocation in Practice
SN - 978-989-758-042-0
AU - Koschuch M.
AU - Wagner R.
PY - 2014
SP - 36
EP - 40
DO - 10.5220/0005113800360040