Firefox 37 To Check Security Certificates Via Blocklist 29
An anonymous reader writes The next version of Firefox will roll out a 'pushed' blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet, but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser. OneCRL will permit non-live verification on EV certificates, trading off currency for speed. Chrome pushes its trawled list of CA revocations every few hours, and Firefox seems set to follow that method and frequency. Both Firefox and Chrome developers admit that OCSP stapling would be the better solution, but it is currently only supported in 9% of TLS certificates.
Re: (Score:2)
A surprising number of things are starting to rely on these curated lists to handle "most" cases. The valid-key flip-side of this key blocklist is the public-key pinning [mozilla.org] list, which is also pretty half-assed.
With a different (non-crypto) bit of web technology, there's also the mess of how to determine what the "real" domain of a site controlled by an entity is. E.g. in the UK, a domain like example.co.uk is a third-level domain, but is conventionally treated as domain 'example' with suffix '.co.uk', not as
Re: (Score:2)
Seems like this is a half ass solution. I'm starting to think the whole system is flawed.
Starting? What would it take for you to realise that the whole browser PKI mess is the steaming pile of dung that it actually is?
Standards (Score:4, Insightful)
"The prescribed global standard doesn't work so we're just going to roll our own. Twice."
Great. Thanks for that. Not "we will penalise sites that don't allow OSCP pinning because we think it's necessary" but "bugger this, we'll apply our own definition of what can be trusted or not to every user"
Re: (Score:3)
unfortunately this is what happens when things like OSCP aren't fully implemented. It's a case of great intent and I'd consider it disposable down the road.
Re: (Score:2)
Re: (Score:2, Insightful)
"The issue is that security features are hampering performance"
This is not always true (especially in this case).
OCSP stapeling is faster than normal OCSP.
(as a side note SPDY or HTTP/2 only works with HTTPS/TLS in practice and is faster than HTTP and in many cases faster than HTTPS. Obviously TLS and even TCP on the server need to be properly configured for that as they a large number of optimizations which might not be enabled by default: https://istlsfastyet.com/ [istlsfastyet.com] )
The summary and many commenters here are
Re: (Score:1)
Firefox & Chrome: “That's it! We're adopting the prescribed global standard. Broken sites need to be fixed!”
Users: “Hey! A bunch of my sites are breaking? They work in Internet Explorer, Safari, and Opera. Firefox and Chrome must be broken. Time to switch browsers!”
Re: (Score:2)
"The prescribed global standard doesn't work so we're just going to roll our own. Twice."
Great. Thanks for that. Not "we will penalise sites that don't allow OSCP pinning because we think it's necessary" but "bugger this, we'll apply our own definition of what can be trusted or not to every user"
The reason for using this alternative to the alternative is because any kind of blacklist-based security doesn't work. It rates #2 in the six dumbest ideas in computer security [ranum.com], with default-allow (which arguably is the problem that blacklists are trying to deal with) at #1. First there were CRLs, which don't work. They were replaced with OCSP, which doesn't work. Now we have cert blacklists, which are fairly recent so they haven't failed often enough for it to be obvious to everyone that they don't work,
Re: (Score:1)
If you have access to cert storage you can do all kind of tricks like adding CA-s or removing them. So "adding to blocklist" is like frying ants with 50megawatt laser.
Icon (Score:4, Insightful)
Re: (Score:1)
Maybe a hidden message there.
Mostly mute (Score:2)
This is mostly mute given the single process model used by Firefox is deeply flawed from a security perspective.
Re: (Score:1)
That's "moot" not "mute'. The single process model has worked thus far despite the naysayers. However, Mozilla has a multi-process framework in development.