Overview of TLS Certificate Revocation Mechanisms

Jayanth Rajakumar

Abstract


TLS Certificates are the backbone of the World Wide Web’s Public Key Infrastructure. In case of a compromise of private cryptographic keys, it is vital to have the ability to revoke certificates before their validity period expires. This paper describes and contrasts the two major mechanisms for certificate revocation – Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP). It is found that modern web clients and browsers such as Google Chrome do not perform stringent checking of certificate revocation status, leaving users open to attackers who use revoked certificates to spoof web sites and services. A browser extension is proposed and implemented for Google Chrome that checks CRL and OCSP status and notifies the user. It can also automatically navigate away from the page if the certificate is found to be revoked. The extension is created using JavaScript and uses a background process written in Python to handle the revocation checking. It is found to be able to complete CRL and OCSP requests for common websites in under a second, and under 200 milliseconds for locally cached responses.

Keywords


TLS; SSL; HTTPS; X.509; Digital Certificates; Certificate Revocation

Full Text:

PDF

References


M. Nia, A. Sajedi and A. Jamshidpey, "An Introduction to Digital Signature Schemes", In Proceeding of National Conference on Information Retrieval, 2011

D. Cooper et al. “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”, Internet Engineering Task Force RFC 5280, May 2008.

Y. Liu et al., "An End-to-End Measurement of Certificate Revocation in the Web's PKI", Proceedings of the 2015 ACM Conference on Internet Measurement Conference - IMC '15, 2015. DOI: 10.1145/2815675.2815685.

S. Santesson, A. Malpani and C. Adams, “X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP”, Internet Engineering Task Force RFC 6960, June 2013.

D. Eastlake, “Transport Layer Security (TLS) Extensions: Extension Definitions”, Internet Engineering Task Force RFC 6066, January 2011.

P. Hallam-Baker, “X.509v3 Transport Layer Security (TLS) Feature Extension”, Internet Engineering Task Force RFC 7633, October 2015.

L. Zhu, J. Amann and J. Heidemann, "Measuring the Latency and Pervasiveness of TLS Certificate Revocation", Passive and Active Measurement, pp. 16-29, 2016. DOI: 10.1007/978-3-319-30505-9_2

T. Chung et al., "Is the Web Ready for OCSP Must-Staple?", Proceedings of the 2018 ACM Conference on Internet Measurement Conference - IMC '18, 2018. DOI: 10.1145/3278532.3278543

B. Laurie, A. Langley, E. Kasper, “Certificate Transparency”, Internet Engineering Task Force RFC 6962, June 2013.

A. Langley, "Revocation checking and Chrome's CRL", 2019 , [Online]. Available at https://www.imperialviolet.org/2012/02/05/crlsets.html.

Y. Li, "certificate-info", GitHub, 2019. [Online]. Available: https://github.com/blupig/certificate-info

"Keyword Research, Competitor Analysis, & Website Ranking", Alexa Internet, 2018. [Online]. Available at https://www.alexa.com




DOI: https://doi.org/10.26483/ijarcs.v10i3.6408

Refbacks

  • There are currently no refbacks.




Copyright (c) 2019 International Journal of Advanced Research in Computer Science