[cabfpub] Certificate lifetimes: end state or trajectory?

Gervase Markham gerv at mozilla.org
Fri Mar 10 12:36:30 UTC 2017


On 03/03/17 20:34, Kirk Hall wrote:
> Gerv - on the issue of revocation checking, not everyone is asking
> for browsers to turn on hard fail if the browser fails to get a
> response to a revocation query in a reasonable time..  We would be
> very happy to continue with soft fail - but please, turn on
> revocation checking again.  Even if the browser doesn't get a timely
> response in (say) 10% of queries, if it does receive a response
> "revoked" in the other 90% of queries, and displays that to users,
> that would be a great increase in user security.

As noted by Adam Langley, "[S]oft-fail revocation checks are like a
seat-belt that snaps when you crash. Even though it works 99% of the
time, it's worthless because it only works when you don't need it."

https://www.imperialviolet.org/2012/02/05/crlsets.html

This is because "[A]n attacker who can intercept HTTPS connections [so
as to use their bad cert for an MITM] can also make online revocation
checks appear to fail and so bypass the revocation checks."

Gerv



More information about the Public mailing list