5

In the context of the Heartbleed bug I would like to make sure that I can detect if someone tries to do a MITM attack with a stolen certificate, which since has been revoked. The problem is that browser either only soft-fail or don't check the CRL at all because soft-fail is useless. Firefox lets one make OCSP response mandatory but it has significant disadvantages. What are the recommended settings / plugins to use to detect certificates which have been revoked since Heartbleed was announced? Specifically I would like to

  • Make OCSP mandatory for certificates issued before 04/07. Maybe with a fallback to something like Perspectives. Does any such extension exist / is under development?
  • Have the CRL record of a certificate cached from my previous visit to a site. That doesn't help against MTM attack on my first visit but I would notice a MITM with a revoked certificate on any subsequent visit.

Any other recommendations of extensions settings to solve this problem? I'm happy to change the browser to solve the issue, thus recommendation for any browser are welcome.

Roland Schulz
  • 201
  • 2
  • 5

2 Answers2

5

The only solution I was able to find is to use either Firefox or Internet Explorer, and enable hard-fail.

For Firefox:

  • Go to Options -> Advanced -> Certificates-> Validation
  • Check the box for "When an OCSP server connection fails, treat the certificate as invalid"

For Internet Explorer:

  • Can only be enabled in registry using FEATURE_WARN_ON_SEC_CERT_REV_FAILED. Blog post with reg file is here.

For Chrome:

  • Not possible to enable hard-fail

For Opera:

  • I don't know.

Notice that hard-fail has disadvantages. So don't enable it for friends/families which would get confused by the possible false positives.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Roland Schulz
  • 201
  • 2
  • 5
  • [netcraft](http://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html) has since written a good article about this. It points out that only Explorer and Opera check CRL if OCSP is not available (7% of certificates). Thus it seems only Explorer checks revocation for all certificates (OCSP+CRL) and allows hard-fail for OCSP. – Roland Schulz May 02 '14 at 17:00
  • I created a [test page](http://crt.rschulz.eu) to show how the browsers behave. – Roland Schulz May 05 '14 at 04:57
0

Upon SSL establishment to the remote server, the certificate chain is retrieved to ensure the trust of the host, if any certificate in the chain is revoked, the chain will be broken and you will recieve a certificate error(untrusted site) upon entering.

This is why we use external root CA's like godaddy and such, to confirm the identity of the remote server.

If the case is for an internal PKI, this might differ, correct me if i'm wrong.

Neophyte
  • 339
  • 1
  • 4
  • 3
    Check [this](https://www.imperialviolet.org/2012/02/05/crlsets.html) and [this](https://news.ycombinator.com/item?id=7556909) to see why browsers do not check the revocation of certificates. The revocation check is only effective for CA certs or EV certs. For EV, Firefox requires an OCSP response (and otherwise doesn't show the green bar) and Chrome includes EVs in the crlset. But standard class 1 or 2 certificates are not checked for revocation by default and so far I wasn't able to find a usable setting/extension to fix this. Thus my question. – Roland Schulz Apr 10 '14 at 21:07