Re: [Full-disclosure] OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange

From: "Larry Seltzer" <larry@xxxxxxxxxxxxxxxx>
Date: Mon, 26 May 2008 09:15:22 -0400

No, CRLs don't work. Firefox for example does not check for CRLs
(default setting), making certificate revocation senseless. I

assume,

other Browsers don't check CRLs either. And what about the german

That is indeed a problem. AFAIK IE 7 on Vista now does some CRL

checking

by default, but I haven't tried it yet.

I did some research on this recently, and the story for browser support
is actually much more complicated. In addition to CRLs there is a
protocol called OCSP for checking the status of a specific certificate
by serial number.

* Internet Explorer 6 and Internet Explorer 7 on Windows XP
support CRL checking but default to not using it.
* Firefox 1 and 2 support both OCSP and CRL, but default to
using CRL.
* Internet Explorer 7 on Vista and Firefox 3 support both OCSP
and CRL and default to using OCSP. Opera 8.5 and later supports only
OCSP and uses it by default.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange
  - From: Alexander Klink

References:
- [Full-disclosure] Identify weak Debian OpenSSL clients in SSH DH key exchange
  - From: Alexander Klink
- [Full-disclosure] OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange
  - From: niclas
- Re: [Full-disclosure] OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange
  - From: Alexander Klink

Relevant Pages

Re: Stand Alone CA Problem
... but everything I saw was for paid support. ... Microsoft responsible for the digital signature area instead. ... but I DO want the certificate to be checked against a CRL. ...
(microsoft.public.win2000.security)
Re: OpenSSH Certkey (PKI)
... I'm more keen on it being used for host authentication than ... separate from accepting certificates for user authentication/authorization. ... Would you consider adding support for OCSP? ...
(freebsd-current)
Re: IIS 6 behavior on checking clients certificates (again)
... >> Why would you even consider turning of CRL checking?!?!?!?!? ... > I'm not taking the chance of using a revoked certificate because ... If you are using OCSP, then the AIA extension would have the OCSP ...
(microsoft.public.windows.server.security)
=?ISO-8859-1?Q?Schl=FCsselbund?= > Einstellungen > Zertifikate
... ergeben. ... Dort kann man für OCSP und CRL verschiedene Einstellungen ... vornehmen. ...
(de.comp.sys.mac.misc)
Re: OpenSSH Certkey (PKI)
... I'm more keen on it being used for host authentication than ... Would you consider adding support for OCSP? ... While CRLs are useful in some circumstances I believe OCSP is generally ...
(freebsd-current)