Ahti Kitsik
Building develper tools. Python, Java, JavaScript.

writings about @ahtik

Here's why StartSSL revoke fees won't matter and SSL certs are funky

By Ahti Kitsik, 17 Apr 2014

Wired just started the day with an article how everyone should move to HTTPS. Very nice article but they got the address wrong: http://www.wired.com/2014/04/https/ should have been with an HTTPS prefix, not postfix.

Nitpicking aside -- let's talk about SSL revocations

Yes, we must encourage a major shift to encrypted web. But not so fast -- we must understand that SSL spreads a problem that is still there but is very little acknowledged and worked on -- certificate revocations. A mechanism to handle cases when something goes wrong with the private key or certificate. But this cannot possibly happen, right?

Quick background on the history of revocations

Certificate is valid if it's used at any time between the issue date and expiry date. At the same time there is also a method to turn off certificates that are not yet expired -- Certificate Revocation. Revocation is checked either using CRL or OCSP. CRL is a huge file of all the revoked certificates -- browser needs to download the whole file and then check if the cert is revoked. OCSP is an optimized protocol to perform a more efficient certificate validation. OCSP still needs an internet connection and OCSP provider must be up'n'running'n'up-to-date.

CRL is slowly being phased out as it grows too fast and there are jokes around that thanks to heartbleed the size becomes comparable to a blockchain.

Sounds like we have a winner, OCSP? Nope, nowhere close.

Hello mobile, you are breaking the world

Now the real issue: almost NONE of the mobile browsers check for revocation! Add to this that by default Chrome is not checking for cert revocation either. So isn't this rendering the whole revocation mechanism almost useless against a real attack?

There is a reason why it's not done in mobile (and Chrome) -- it makes the requests slower, especially in mobile. To stay fast while surfing there is a timeout fallback in browser so that when OCSP validation is enabled but OCSP responder times out then all browsers except specially configured Firefox (OCSP Hard Fail enabled) assumes that the cert is valid. Which is not helping when a real attack is executed.

Fun fact, most of the HTTPS attacks require MITM (man in the middle) opportunity and this makes Firefox OCSP Hard Fail feature the only protection against a real attack when the cert and private key are compromised.

Let's not worry about the StartSSL fees but it has to change

Revocation as of today is not functional to prevent most of the attacks. This means that we can be quite relaxed about StartSSL policy to offer free certificates while asking a hefty fee of $24.90 to revoke them. Yes, revoking certs is important but in reality it secures a very small proportion of web surfers.

Our world is already a fragile place and StartSSL business model would be aligned with a safer future if the certs are $1.95/year or $4.95/year and come with a free revocation.

I strongly believe that by keeping revocation feature behind a paywall StartSSL is actually not following the policies set by Mozilla for companies who are registered as CA in Mozilla products.

StartSSL free certs are very important to many of us but business model with paid revocations needs a refactoring. Just as much as revocation mechanism itself.

The relevant section from the policy:
CAs must revoke Certificates that they have issued upon the occurrence of any of the following events: /../ the CA obtains reasonable evidence that the subscriber’s private key (corresponding to the public key in the certificate) has been compromised or is suspected of compromise (e.g. Debian weak keys), or that the certificate has otherwise been misused.

I'm no a lawyer but this reads as CAs MUST revoke compromised certs. Period. Having this contingent on subscriber/certificate owner to pay a fee doesn't seem legal. Using this logic one can render any section of the contract into nonsense -- "CAs must do /**/" --> Yes, we'll do that but only if another party is paying $10k.

Again, StarCom and its StartSSL provide excellent service. I just believe it's time to reinvent their business model around revocation fees.

Haha, I said it -- giving business model critique as someone who has no eggs in the basket.. I get it and I apologize. But it had to be said.

Critical issue, let's fix it

Internet in this universe is not safe until we have a 99% browser market where certificates can be universally revoked and it's not slowing down the browser. CRL and OCSP as of today are broken by design as both introduce single point of failure which is unacceptable extra layer of failure for the network.

Yes, you as a single private citizen can be safe and paranoid already today -- install Firefox and enable OCSP Hard Fail. Also do not ever use a mobile to log in anywhere (including mobile apps). You see, current foundation is too fragile to get us all to the safe and encrypted future.

I should stop whining now. All I have is just one solution in mind, not sure if there are significant flaws to that:

Certs that are valid for only 24 hours

CAs would provide API and our servers generate a new private key with a 24h valid cert every 6 hours. Six hours is useful to silently recover from network and service failures.

It's clearly too simple solution so it must be naive. Would be happy to hear what are the better strategies and where's the flaw with short-term certs.

@ahtik is on twitter!