Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Chrome Firefox Mozilla Security IT

Firefox 37 To Check Security Certificates Via Blocklist 29

An anonymous reader writes The next version of Firefox will roll out a 'pushed' blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet, but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser. OneCRL will permit non-live verification on EV certificates, trading off currency for speed. Chrome pushes its trawled list of CA revocations every few hours, and Firefox seems set to follow that method and frequency. Both Firefox and Chrome developers admit that OCSP stapling would be the better solution, but it is currently only supported in 9% of TLS certificates.
This discussion has been archived. No new comments can be posted.

Firefox 37 To Check Security Certificates Via Blocklist

Comments Filter:
  • Standards (Score:4, Insightful)

    by ledow ( 319597 ) on Thursday March 05, 2015 @09:40AM (#49188365) Homepage

    "The prescribed global standard doesn't work so we're just going to roll our own. Twice."

    Great. Thanks for that. Not "we will penalise sites that don't allow OSCP pinning because we think it's necessary" but "bugger this, we'll apply our own definition of what can be trusted or not to every user"

    • unfortunately this is what happens when things like OSCP aren't fully implemented. It's a case of great intent and I'd consider it disposable down the road.

    • by Luthair ( 847766 )
      The issue is that security features are hampering performance, hence each browser is attempting to strike a balance that they feel is palatable.
      • Re: (Score:2, Insightful)

        by Lennie ( 16154 )

        "The issue is that security features are hampering performance"

        This is not always true (especially in this case).

        OCSP stapeling is faster than normal OCSP.

        (as a side note SPDY or HTTP/2 only works with HTTPS/TLS in practice and is faster than HTTP and in many cases faster than HTTPS. Obviously TLS and even TCP on the server need to be properly configured for that as they a large number of optimizations which might not be enabled by default: https://istlsfastyet.com/ [istlsfastyet.com] )

        The summary and many commenters here are

    • by Anonymous Coward

      Firefox & Chrome: “That's it! We're adopting the prescribed global standard. Broken sites need to be fixed!”

      Users: “Hey! A bunch of my sites are breaking? They work in Internet Explorer, Safari, and Opera. Firefox and Chrome must be broken. Time to switch browsers!”

    • "The prescribed global standard doesn't work so we're just going to roll our own. Twice."
      Great. Thanks for that. Not "we will penalise sites that don't allow OSCP pinning because we think it's necessary" but "bugger this, we'll apply our own definition of what can be trusted or not to every user"

      The reason for using this alternative to the alternative is because any kind of blacklist-based security doesn't work. It rates #2 in the six dumbest ideas in computer security [ranum.com], with default-allow (which arguably is the problem that blacklists are trying to deal with) at #1. First there were CRLs, which don't work. They were replaced with OCSP, which doesn't work. Now we have cert blacklists, which are fairly recent so they haven't failed often enough for it to be obvious to everyone that they don't work,

  • Icon (Score:4, Insightful)

    by puddingebola ( 2036796 ) on Thursday March 05, 2015 @11:02AM (#49189131) Journal
    I think the icon for this story should be Firefox and not Chrome.
    • by Anonymous Coward

      Maybe a hidden message there.

  • This is mostly mute given the single process model used by Firefox is deeply flawed from a security perspective.

    • by Anonymous Coward

      That's "moot" not "mute'. The single process model has worked thus far despite the naysayers. However, Mozilla has a multi-process framework in development.

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...