Mobile // Mobile Applications
News
3/5/2012
11:07 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Can SSL Certificate Checking System Be Saved?

Google says Web certificate revocation checking system is broken, joins other browser vendors at RSA to discuss solutions.

RSA CONFERENCE 2012--San Francisco--The way that browsers perform SSL certificate-revocation checking is so fundamentally flawed that some browser vendors have turned it off altogether, according to browser vendor representatives in a panel at RSA last week. Moderated by a certificate authority (CA) representative, the panel involved key players from Mozilla, Google, and Opera, who all put forward potential solutions to the problem of how to check the valid status of SSL certificates issued by CAs.

At the moment, sites depend on two methods for checking the valid status of SSL certificates online. One is through a certificate revocation list (CRL) published by the CAs, which post revoked certificates periodically on these lists. The other is through the online certificate status protocol (OCSP) responder systems CAs have in place to relay the up-to-date status of a site's certificate to a user's browser when the user visits the site.

[ Catch up on our complete RSA 2012 Security Conference coverage. ]

"So why are we here today?" said panel moderator Kirk Hall, operations director of trust services for Trend Micro. "That sounds like a perfect system, right? It should work. But it doesn't."

Hall says there are several reasons why CRLs and OCSP are not working in the real world. For one, the CRLs can be up to seven days old and "the CRL in your client at any given time will probably not reflect the most recent list of revocations from that particular root," Hall says.

At the same time, while OCSP is supposed to be a more real-time method of checking, its latency problems have doomed its prospects at the moment. Whether it is through slow responses due to slow connections, connectivity issues involving system firewalls, or scalability issues for CAs responding to OCSP queries at high-volume sites, the number of errors returned by OCSP responders for sites with valid certificates can be quite high. In the name of usability, browser vendors have all but neutered OCSP safeguards by turning off "hard-fail" when OCSP does not respond with a positive result.

Read the rest of this article on Dark Reading.

Secure sockets layer isn't perfect, but there are ways to optimize it. The new Web Encryption That Works supplement from Dark Reading shows four places to start. (Free registration required.)

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.