Overview of TLS Certificate Revocation Mechanisms

Main Article Content

Jayanth Rajakumar

Abstract

TLS Certificates are the backbone of the World Wide Web’s Public Key Infrastructure. In case of a compromise of private cryptographic keys, it is vital to have the ability to revoke certificates before their validity period expires. This paper describes and contrasts the two major mechanisms for certificate revocation – Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP). It is found that modern web clients and browsers such as Google Chrome do not perform stringent checking of certificate revocation status, leaving users open to attackers who use revoked certificates to spoof web sites and services. A browser extension is proposed and implemented for Google Chrome that checks CRL and OCSP status and notifies the user. It can also automatically navigate away from the page if the certificate is found to be revoked. The extension is created using JavaScript and uses a background process written in Python to handle the revocation checking. It is found to be able to complete CRL and OCSP requests for common websites in under a second, and under 200 milliseconds for locally cached responses.

Downloads

Download data is not yet available.

Article Details

Section
Articles
Author Biography

Jayanth Rajakumar, R.V. College of Engineering

4th Year Bachelor of Engineering student of Electronics and Communication Engineering (ECE) at R.V. College of Engineering, Bangalore.

References

M. Nia, A. Sajedi and A. Jamshidpey, "An Introduction to Digital Signature Schemes", In Proceeding of National Conference on Information Retrieval, 2011

D. Cooper et al. “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profileâ€, Internet Engineering Task Force RFC 5280, May 2008.

Y. Liu et al., "An End-to-End Measurement of Certificate Revocation in the Web's PKI", Proceedings of the 2015 ACM Conference on Internet Measurement Conference - IMC '15, 2015. DOI: 10.1145/2815675.2815685.

S. Santesson, A. Malpani and C. Adams, “X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSPâ€, Internet Engineering Task Force RFC 6960, June 2013.

D. Eastlake, “Transport Layer Security (TLS) Extensions: Extension Definitionsâ€, Internet Engineering Task Force RFC 6066, January 2011.

P. Hallam-Baker, “X.509v3 Transport Layer Security (TLS) Feature Extensionâ€, Internet Engineering Task Force RFC 7633, October 2015.

L. Zhu, J. Amann and J. Heidemann, "Measuring the Latency and Pervasiveness of TLS Certificate Revocation", Passive and Active Measurement, pp. 16-29, 2016. DOI: 10.1007/978-3-319-30505-9_2

T. Chung et al., "Is the Web Ready for OCSP Must-Staple?", Proceedings of the 2018 ACM Conference on Internet Measurement Conference - IMC '18, 2018. DOI: 10.1145/3278532.3278543

B. Laurie, A. Langley, E. Kasper, “Certificate Transparencyâ€, Internet Engineering Task Force RFC 6962, June 2013.

A. Langley, "Revocation checking and Chrome's CRL", 2019 , [Online]. Available at https://www.imperialviolet.org/2012/02/05/crlsets.html.

Y. Li, "certificate-info", GitHub, 2019. [Online]. Available: https://github.com/blupig/certificate-info

"Keyword Research, Competitor Analysis, & Website Ranking", Alexa Internet, 2018. [Online]. Available at https://www.alexa.com