We've received a fair number of questions on today's emergency patch from Microsoft ( https://isc.sans.edu/diary/13366 ), and many of them have been simply "Why don't they just put the affected Certs into the CRL (Certificate Revocation List)"? That is, after all, what the CRL is for, and it's part of the SSL protocol for goodness sake! =============== |
Rob VandenBrink 579 Posts ISC Handler Jun 4th 2012 |
Thread locked Subscribe |
Jun 4th 2012 1 decade ago |
In this particular case, there are attack vectors when the machine is not on the internet, making CRL checking impossible. Patch is required.
|
Anonymous |
Quote |
Jun 4th 2012 1 decade ago |
Moxy Marlinspike has some excellent youtube presenations on the fundamental problem with our use of SSL, or more correctly, our TRUST in browsers that in turn trust certificate authorities.
http://convergence.io/ Looks to fix some of the problems with SSL, and works today with a simple browser plugin - yeah, and it's very fast and doesn't introduce new vulnerabilities. If you think SSL is flawed, or you think SSL solves everything, you should read this, because both groups are right 'sortof'. |
DomMcIntyreDeVitto 45 Posts |
Quote |
Jun 4th 2012 1 decade ago |
The biggest concern, what Joshua said in his post, is what happens when the machine is offline. _Most_ browsers, by default, when they can't contact a CRL, just assume that the certificate is good, and not revoked. So a DoS of sorts could be performed against a CRL server, and make the certificate "appear" to be good.
|
MikeDawg 4 Posts |
Quote |
Jun 4th 2012 1 decade ago |
And yet when we have an ssl that has mixed content or there are problems determining the validity of a cert, the browsers make sure to make a clear notifcation that there is an issue to the user. What is the use if the CRL is not checked. Like having a car with airbags but no seatbelts. I am sure there are ways to ensure its use but for the common user they would never know. if we had multiple channels to check revocation then it would take a large distributed attack to ensure all CRL servers were unresponsive.
Thanks, http://mjddesign.wordpress.com |
Matthew 15 Posts |
Quote |
Jun 5th 2012 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!