Trust Revoked — Practical Evaluation of OCSP- and CRL-Checking Implementations

Koschuch, Manuel; Wagner, Ronald

doi:10.1007/978-3-319-25915-4_2

Manuel Koschuch¹³ &
Ronald Wagner¹³

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 554))

Included in the following conference series:

International Conference on E-Business and Telecommunications

971 Accesses
1 Citations

Abstract

When deploying asymmetric cryptography robust ways to reliably link a public key to a certain identity have to be devised. The current standard for doing so are X.509v3 certificates. They are used in HTTPS and SSH as well as in code-, e-mail-, or PDF-signing. This widespread use necessitates the need for an efficient way of revoking such certificates in case of a compromised private key. Two methods are currently available to deal with this problem: the older Certificate Revocation Lists (CRL), and the newer Online Certificate Status Protocol (OCSP). In this work we perform a practical evaluation of how different software like web-browsers or PDF viewers deal with OCSP, in particular when the OCSP server cannot be reached. We find widely varying behavior, from silently accepting any certificates to completely blocking access. In addition we search an existing data-set of X.509v3 HTTPS certificates for revocation information, finding that almost 85 % of them contain neither CRL nor OCSP information, thereby rendering any practical revocation attempt nearly useless.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
http://heartbleed.com/.
2.
Note that there is one possible response that can be sent without signing: the status code “3”, meaning tryLater, which lead to subtle attacks against this protocol [10].

References

Meyer, C., Schwenk, J.: SoK: lessons learned from SSL/TLS attacks. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 172–189. Springer, Heidelberg (2014)
Chapter Google Scholar
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the 22nd USENIX Security Symposium, pp. 605–620. USENIX Association, Berkeley (2013)
Google Scholar
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: RFC5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC (2008)
Google Scholar
Yee, P.: RFC6818 - Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC (2013)
Google Scholar
Housley, R., Ford, W., Polk, W., Solo, D.: RFC2459 - Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC (1999)
Google Scholar
Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: RFC6960 - X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC (2013)
Google Scholar
Eastlake, D.: RFC6066 - Transport Layer Security (TLS) Extensions, Extension Definitions. RFC (2011)
Google Scholar
Durumeric, Z., Kasten, J., Bailey, M., Halderman, J.A.: Analysis of the HTTPS Certificate Ecosystem. In: Proceedings of the 13th Internet Measurement Conference, pp. 291–304. ACM, New York (2013)
Google Scholar
Langley, A.: No, don’t enable revocation checking (2014). https://www.imperialviolet.org/2014/04/19/revchecking.html
Marlinspike, M.: Defeating OCSP with the Character ’3’ (2009). http://www.thoughtcrime.org/papers/ocsp-attack.pdf
Langley, A.: Revocation checking and Chrome’s CRL (2012). https://www.imperialviolet.org/2012/02/05/crlsets.html

Download references

Acknowledgements

Manuel Koschuch is being supported by the MA23 - Wirtschaft, Arbeit und Statistik - in the course of the funding programme “Stiftungsprofessuren und Kompetenzteams für die Wiener Fachhochschul-Ausbildungen”.

Author information

Authors and Affiliations

Competence Centre for IT-Security, FH Campus Wien, University of Applied Sciences, Favoritenstrasse 226, 1100, Vienna, Austria
Manuel Koschuch & Ronald Wagner

Authors

Manuel Koschuch
View author publications
You can also search for this author in PubMed Google Scholar
Ronald Wagner
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Manuel Koschuch .

Editor information

Editors and Affiliations

Rose Hill and Lincoln Center Campuses, Fordham University, Bronx, New York, USA
Mohammad S. Obaidat
Medical Informatis, Statistics, Document, Medical University Graz, Graz, Austria
Andreas Holzinger
INSTICC, Polytechnic Institute of Setúbal, Setúbal, Portugal
Joaquim Filipe

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Koschuch, M., Wagner, R. (2015). Trust Revoked — Practical Evaluation of OCSP- and CRL-Checking Implementations. In: Obaidat, M., Holzinger, A., Filipe, J. (eds) E-Business and Telecommunications. ICETE 2014. Communications in Computer and Information Science, vol 554. Springer, Cham. https://doi.org/10.1007/978-3-319-25915-4_2

Download citation

DOI: https://doi.org/10.1007/978-3-319-25915-4_2
Published: 30 December 2015
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25914-7
Online ISBN: 978-3-319-25915-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics