MozillaWiki

CA:ImprovingRevocation

Revision as of 21:39, 18 July 2013 by Kathleen Wilson (talk | contribs) (Created page with "= Plan for Improving Revocation Checking in Firefox = This page is dedicated to improving how Firefox does revocation checking of SSL certificates. == Current Problems to So...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Plan for Improving Revocation Checking in Firefox

This page is dedicated to improving how Firefox does revocation checking of SSL certificates.

Current Problems to Solve

Here are some of the issues that we hope to address very soon.

  • Nonsensical security properties of revocation checking of end-entity certificates: In most cases, a malicous actor that is trying to use a revoked certificate to attack a browser user will be able to turn off the revocation checking for the certificate he is using.
  • Nonsensical security propoerties of revocation checking for intermediate CA certificates: We don't check for revocation of intermediate certificates at all except for the case of EV. A bad intermediate CA certificate is extremely dangerous, so it is important to check revocation of them; sadly, the intermediates we do check revocation for (EV intermediate certificates) are the ones that are the least likely to cause our users security problems. And, those revocation checks suffer from the same problem that revocation checking of end-entity certificates currently has: an attacker can usually just block the check and prevent us from seeing that the certificate has been revoked.
  • Poor Privacy: The CA learns the IP address, location, a subset of the user's browsing history, and other sensitive information about the user through the OCSP to its servers.
  • Poor Performance: Revocation checking through OCSP and CRL requests is way too slow.
  • Poor Usability: Many captive portals with HTTPS login pages work very poorly in Firefox because we stall for 30+ seconds waiting for the OCSP response for the captive portal that is being blocked by the captive portal until you log in.
  • Confusing UX for EV certificates: If we fail to get revocation information via OCSP/CRL fetching for an EV certificate, then we do not show the certificate as an EV certificate. This is particularly problematic for cases when a web app is designed to be used offline (e.g. using AppCache), but even normal websites like paypal.com are affected by this. This inconsistency in the security indicators devalues the security indicators.

Changes In Progress

The following changes have been discussed in a Mozilla discussion forum, and are in the implementation phase.

Change Name

Description

  • Discussion: Link to Discussion Thread
  • Code Change: Bugzilla Bug Number
  • Policy Change:
  • Process Change:


Proposed Changes under Discussion

The following changes are being discussed (or will be discussed) in a Mozilla discussion forum.

Note: These changes may be in development while discussion is ongoing, because testing of ideas may be needed and/or implementation details may impact the direction of the discussion or outcome.

Change Name

Description

  • Discussion: Link to Discussion Thread
  • Code Change: Bugzilla Bug Number
  • Policy Change:
  • Process Change:
Retrieved from "https://wiki.mozilla.org/index.php?title=CA:ImprovingRevocation&oldid=679219"