The next version of Mozilla Firefox will include a new certificate revocation list that will speed up and streamline the process of revoking intermediate certificates trusted by the browser.
The new feature, known as OneCRL, is meant as a replacement for the old OCSP (online certificate status protocol) system that is used now to check the status of a given certificate. That protocol relies on OCSP servers run by certificate issuers that maintain a list of their certificates. Those servers respond to requests from clients about the status of a certificate, saying the certificate is either valid, revoked or unknown.
That process can be somewhat slow, and also has the problem of typically failing open if the OCSP responder can’t determine the status of a given certificate.
“The critical question is what to do in the event that you can’t get an answer about a certificate’s revocation status. If you reject certificates when you can’t get an answer, that’s called hard-fail. If you accept certificates when you can’t get an answer that’s called soft-fail,” Adam Langley, a security engineer at Google, wrote last year in explaining the revocation status issue after Heartbleed.
“Everyone does soft-fail for a number of reasons on top of the general principle that single points of failure should be avoided. Firstly, the Internet is a noisy place and sometimes you can’t get through to OCSP servers for some reason. If you fail in those cases then the level of random errors increases. Also, captive portals (e.g. hotel WiFi networks where you have to “login” before you can use the Internet) frequently use HTTPS (and thus require certificates) but don’t allow you to access OCSP servers. Lastly, if everyone did hard-fail then taking down an OCSP service would be sufficient to take down lots of Internet sites. That would mean that DDoS attackers would turn their attention to them, greatly increasing the costs of running them and it’s unclear whether the CAs (who pay those costs) could afford it.”
The OneCRL feature that will be included with Firefox 37 is designed to address some of these concerns by pushing a certificate-revocation list to the browser. In order for a certificate to be added to the list, the issuer has to notify Mozilla that the certificate needs to be revoked.
“OneCRL helps speed up revocation checking by maintaining a centralized list of revoked certificates and pushing it out to browsers. Currently, if a serious incident occurs that requires certificates to be revoked, we release an update to Firefox to address the problem. This is slow because it takes some time for users to get the security update and restart their browsers. There’s also cost involved in producing an update (and users downloading it),” Mark Goodwin of Mozilla wrote in a blog post.
“Firefox already has a mechanism for periodically checking for things that may harm users called blocklisting. OneCRL extends the blocklist to include certificates which should be revoked in addition to the errant add-ons, plugins and buggy graphics drivers currently included. This lets users get the benefit of fresh revocation information without having to update or restart their browser.”
The version of OneCRL that will ship with Firefox 37 will only cover intermediate certificates, a choice that is meant to limit the size of the blocklist for the time being.