AppleCybersecurityTech News

HTTPS Certificates: The return of blacklists

In the future it should finally be possible again to simply block compromised certificates. Apple and Mozilla are pushing ahead and Let’s Encrypt is following suit.

 

Actually, the management of HTTPS certificates is broken. Because there is no generally working method to block identity-creating certificates if they are stolen, for example. This is a known problem, but one that has been reluctant to be discussed because no one has come up with a satisfactory solution. But now Apple and Mozilla are calling for a revival of the blacklists and the world’s largest certification authority Let’s Encrypt is following suit.

 

First, an ultra-short summary of the status quo and how it came about: Originally, every Certificate Authority (CA) issued Certification Revocation Lists (CRLs). The browser fetched this to check whether a certificate was actually still valid. But that didn’t work because the web was growing too fast and the size of the lists got out of control (not to mention the organizational chaos surrounding CRLs).

The then introduced Online Certificate Status Protocol (OCSP) therefore made it possible to check individual certificates. However, the service was never stable enough to be relied on, and no browser activated the OCSP checks as a mandatory requirement. In addition, OCSP queries tell the CAs which websites you are visiting – which poses a serious privacy problem. That is why the browser manufacturers ultimately did without a general blocking mechanism. Own certificate revocation lists for emergencies and shorter term of the certificates should limit the resulting risk. All in all a very unsatisfactory situation.

Now, however, Apple and Mozilla require the CAs to provide them with complete revocation lists for the inclusion of CA certificates in their browser’s trust store. They want to collect these centrally and then pass them on to their browsers as a compacted list. This intermediate station appears to allow for enough optimizations to handle the scaling and performance problems of traditional CRLs. In any case, Let’s Encrypt now states that they want to put these CRLs into operation this month. And after all, this is by far the largest CA that has driven the HTTPS boom with its free certificates.

This gives hope that something is finally moving forward in this corner of IT security, which has been neglected for far too long. The problem has been ignored for far too long. What is still somewhat skeptical is that Google has not yet spoken out about the new CRLs. Google is usually quite active when it comes to certificate policies. And thanks to the market-dominating position of the Chrome browser, the group has such great leverage that it seems at least doubtful whether Mozilla and Apple could also assert this against Google. But maybe Google isn’t against it at all, just a little later. We will see.


(yeah)

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button