SSL Certificate Status Checking
As part of its effort to promote SSL certificate best practices, the CA Security Council (CASC) has offered a couple of blogs on the importance of revocation checking, categorized in Part 1 and Part 2.
Here are my summaries of SSL certificate status checking.
What is the purpose of a CA-issued SSL certificate?
- To bring trust to the end-user of who controls the website
- The CA-issued SSL certificate brings encryption as well, but so do self-signed certificates; self-signed does not bring trust
- Trust is elevated based on the verification practice used to validate the certificate applicant:
- Domain Validation (DV) verifies the domain name is controlled by the applicant.
- Organization Validation (OV) verifies an identity that controls the validated domain.
- Extended Validation (EV) verifies the identity and authorization of the applicant at a higher level.
Why revoke a certificate?
- Changes by the website owner (e.g., no longer in business, does not own domain, changed organization name)
- Private signing key is compromised by a third party
- CA learns that information in the certificate has changed or has been misrepresented
How is a certificate status conveyed?
- Certificate Revocation List (CRL) – A digitally-signed file containing a list of certificates that have been revoked and have not yet expired
- Online Certificate Status Protocol (OCSP) – A protocol in which the client requests the status for a particular certificate signed by a particular issuer, and receives a digitally-signed response containing its status
- CRL and OCSP responses can be found at a website address included in the certificate
What could happen if you go to a risky site?
- Loss of Private Information – An attacker controlling the risky site could capture your personal information such as your birth date or credit card number
- Identity Theft – An attacker could capture your username and password, allowing them to impersonate you on a website
- Financial Loss – Loss of your credit card number or username and password could mean financial loss
- Malware Installation – An attacker could install malware on your computer to help steal other information or take over your computer for a larger attack
How do I check certificate status?
- Certificate-status checking is done by your browser or other certificate-aware software
- In some cases, you may need to ensure certificate-status checking is turned on. This is more likely for software using Windows XP as an operating system.
- Browsers and applications provide dialogue boxes to turn on certificate-status checking, see below