Latest news
Future versions of Google's Chrome browser will no longer use online revocation checks to verify whether the HTTPS site the user wants to visit possesses a valid certificate, shared Google researcher Adam Langley in a blog post.So far, Crome - as, indeed, all other major browsers - sends OCSP and CRL queries to the services run by the Certificate Authorities in order to verify whether that particular certificate has been revoked. But, as Langley points out, the process is deeply flawed and Google has finally decided to do something about it.
"The problem with these checks, that we call online revocation checks, is that the browser can't be sure that it can reach the CA's servers," he explains. "There are lots of cases where it's not possible: captive portals are one. A captive portal frequently requires you to sign in on an HTTPS site, but blocks traffic to all other sites, including the CA's OCSP servers."
"If browsers were to insist on talking to the CA before accepting a certificate, all these cases would stop working. There's also the concern that the CA may experience downtime and it's bad engineering practice to build in single points of failure. Therefore online revocation checks which result in a network error are effectively ignored (this is called 'soft-fail')."
And, unfortunately, attackers who are able to intercept HTTPS connection can also make it so that the revocation checks appear to have failed instead of pointing out that a certificate is no longer valid, and the user is allowed to proceed to the site.
"While the benefits of online revocation checking are hard to find, the costs are clear: online revocation checks are slow and compromise privacy. The median time for a successful OCSP check is ~300ms and the mean is nearly a second. This delays page loading and discourages sites from using HTTPS. They are also a privacy concern because the CA learns the IP address of users and which sites they're visiting," wrote Langley and compared soft-fail revocation checks to a seat-belt that snaps when you crash.
Instead of this essentially flawed process, Chrome will use its own update mechanism to maintain a list of revoked certificates, and that will not require a restart of the browser.
"An attacker can still block updates, but they have to be able to maintain the block constantly, from the time of revocation, to prevent the update. This is much harder than blocking an online revocation check, where the attacker only has to block the checks during the attack," he points out, and invited CAs to contribute their revoked certificates to the list.
Spotlight
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Is Microsoft is reading your Skype communications?
Posted on 15 May 2013. | The question of whether Skype allows U.S. intelligence and law enforcement agencies to access the communications exchanged by its users has still not been adequately answered by Microsoft.
Internet Explorer best at blocking malware
Posted on 14 May 2013. | While Chrome’s malware download protection improved significantly, Internet Explorer 10 continues to outperform the other browsers with a block rate of 99.96%.
Researcher refuses to help Saudi telco to spy on people
Posted on 14 May 2013. | You would think that a Saudi Arabian telecom firm interested in monitoring its users' mobile communications would not be asking a well-known pro-privacy researcher for help, but you would be wrong.
Malicious browser extensions are hijacking Facebook accounts
Posted on 13 May 2013. | Facebook users - especially those in Brazil - are being targeted with malicious browser extensions trying to hijack Facebook profiles, warns Microsoft.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
