HTTPS Certificate Revocation is Broken

FrgMstr

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,626
Scott Helme is a security researcher that keeps up a blog that I frequent. I came across his work when we were looking to move HardOCP to HTTPS. Last week he discussed how to revoke a Let's Encrypt "https" certificate, and this week he discusses how the revocation system is fully broken. Basically, if your key gets stolen, the system for letting everyone know it is stolen, is useless. This really needs to be fixed.

As it currently stands there is a real problem, we can't revoke certificates if someone obtains our private key. Just imagine how that will play out the next time Heartbleed comes along! One thing that you can do to try and limit the impact of a compromise is to reduce the validity period of certificates you obtain. Instead of three years go for one year or even less. Let's Encrypt only issue certificates that are valid for ninety days! With a reduced lifetime on your certificate you have less of a problem if you're compromised because an attacker has less time to abuse the certificate before it expires. Beyond this, there's very little we can do.

He has also recently tried to burn down his hotel with his Macbook charger.
 
Not really news though, wasn't that the main reason LE made them 90 days?

I still have trouble understanding why Google/Mozilla were pushing so hard to make self-published certs seem naughty considering how broken the rest of the system is ;)
 
I remembered for the longest time that Amazon had bad certs. What surprises me even more is how many sites use wild card certificates.
 
Honestly, I'm still shocked that we are using 90 day certs. Seems like rolling 7-14 day certs should be perfectly viable. Hell, with a little automation you could probably get that down to sub 7 days reasonably for most sites.

ChoGGi said:
Not really news though, wasn't that the main reason LE made them 90 days?

I still have trouble understanding why Google/Mozilla were pushing so hard to make self-published certs seem naughty considering how broken the rest of the system is ;)
Click to expand...

Because self-signed is basically the same as no security at all. AKA, you don't throw out the baby with the bath water.

Zarathustra[H] said:
Sigh...

I never cease to be astonished by how poorly https and certificates are handled...
Click to expand...

Security has forever been 2 steps forward, 1 step back. We've had HTTPS for how long? And it has taken how long for the majority of websites to get on board?
 
I'm not sure I understood everything, but would not a simpler - for the client - solution be to fold certificate checking into DNS? If a site has the CAA DNS record set then the DNS server checks the validity of the certificate and gives an appropriate error if the certificate is not valid.
 
aaronspink said:
Because self-signed is basically the same as no security at all. AKA, you don't throw out the baby with the bath water.
Click to expand...
That's absurd. You're conflating third-party verification and encryption; one does not require the other. The entire concept of the chain of trust was foolish from the get-go as it was a given the root cert auth's would be a prime target, for those interested, to compromise. And they have been.
 
Todd Walter said:
That's absurd. You're conflating third-party verification and encryption; one does not require the other. The entire concept of the chain of trust was foolish from the get-go as it was a given the root cert auth's would be a prime target, for those interested, to compromise. And they have been.
Click to expand...

I hate that they treat self-signed certs worse than having no certificate at all... Makes devices like routers and ip cameras that aren't always practical to assign domain names to difficult it encrypt. I get that there is almost no scenario where you want encryption without verification, but it's been a constant source of frustration for me over years.

And certificate management has been painful over the years as well. Companies seem to suck at it, so they get wildcards... but then use them on all of their servers including old crap that still supports SSL2 or 3...
 
TV news program was taking about online securely when buying stuff online and they said that you should be looking for the padlock and HTTPs to make sure your on a secure website (they failed to mention that does not mean its a legitimate website as any fake website can get a HTTPs cert to make it look more real) really getting a HTTPs cert should be harder to obtain then it is allready (EV certs are harder to get but you can fake it to get them if you try)

dont like that chrome has made it harder to read the cert information (they have hid the tab that shows the cert when you click on Secure)

1. always use a credit card for online purchase or high value items (as well as holidays packages) as you're protected by Visa or mastercard,, as in the UK most people see credit cards as debt and don't understand the protections they offer, you can get quite easy low £500 cards and if you don't want to use the £500 just load extra money on it so its in credit all the time

2. make sure the website is actually the correct one when searching for them (i would say 3. list for fake site prevention but i get banned from here, but its related google search results listing fake sites first, you Must look at the Real search results that start 1-2-3 not the ones on the top or right side, some people unfortunately just click on the first 2-3 results that they think are real)
 
You must log in or register to reply here.
Back
Top