[cabfpub] Certificate lifetimes: end state or trajectory?
Gervase Markham
gerv at mozilla.org
Fri Mar 10 12:36:30 UTC 2017
On 03/03/17 20:34, Kirk Hall wrote:
> Gerv - on the issue of revocation checking, not everyone is asking
> for browsers to turn on hard fail if the browser fails to get a
> response to a revocation query in a reasonable time.. We would be
> very happy to continue with soft fail - but please, turn on
> revocation checking again. Even if the browser doesn't get a timely
> response in (say) 10% of queries, if it does receive a response
> "revoked" in the other 90% of queries, and displays that to users,
> that would be a great increase in user security.
As noted by Adam Langley, "[S]oft-fail revocation checks are like a
seat-belt that snaps when you crash. Even though it works 99% of the
time, it's worthless because it only works when you don't need it."
https://www.imperialviolet.org/2012/02/05/crlsets.html
This is because "[A]n attacker who can intercept HTTPS connections [so
as to use their bad cert for an MITM] can also make online revocation
checks appear to fail and so bypass the revocation checks."
Gerv
More information about the Public
mailing list