Certificate revocation and browsers

Why isn't OCSP required by default in browsers?

 

If you use an AV with SSL/HTTPS scanning enabled, and it uses a MitM method, the browser cannot check for certificate revocation and the AV must do this.
I've checked Bitdefender and ESET, both fail to warn.

https://www.wilderssecurity.com/threads/antivirus-web-http-shields-and-https-connections.359894



@MrBrian, thanks for the links, there was some new info for me in there as well.

I would say it is still better than nothing, and if there would be no OCSP, MitM attacks on massive scale would be easier and cheaper.
We'll have to wait for new standards to become widely adopted to get some proper protection though.
The 3 major browsers, IE, FF and Chrome already support OCSP stapling(well, at least the desktop versions) so hopefully it will be adopted by servers faster now.

 

It did not give me the option to bypass. IE11 on Windows 8.1 update 1, 64 bit enhanced protected mode enabled.

 

http://threatpost.com/openssl-heartbleed-and-the-value-of-crls/105572

 

No, don't enable revocation checking (hat tip: last post)

I've been using "hard fail" OCSP in Firefox for years - see post #15.

 

Chrome users oblivious to Heartbleed revocation tsunami

 

I enabled that feature, thanks for the heads up.

It annoys me when the chrome developers prioritize speed over security. Same reason you sometimes end up loading a Chrome page before an extension like ABP has loaded, they don't want to compromise speed by waiting for extensions to load when you open the browser.

 

Since Chrome doesn't support "hard fail" revocation, enabling that option doesn't help much ...

 

The article linked by MrBrian suggests OCSP Must Staple as a possible solution, there is a bug about implementing it in Firefox here, voting for it might attract more attention from the devs:
https://bugzilla.mozilla.org/show_bug.cgi?id=901698
Interesting related one:
https://bugzilla.mozilla.org/show_bug.cgi?id=672600

I got the IE test from the Cloudflare challenge blog, they didn't specify version and OS. I'll add your result.

 

I'm no longer able to edit my original list, so here is the updated version:


Desktop

Bitdefender SafePay browser
Gives warning, but is a general warning, does not mention certificate has been revoked and allows bypass by user.

Browser protected by Bitdefender HTTPS/SSL scanning(BD TS 17.27.0.1146)
Gives no warning, no option to enable yourself
Browser protected by ESET HTTPS/SSL scanning(ESS 7)
Gives no warning, no option to enable yourself
Browser protected by Kaspersky HTTPS/SSL scanning(KIS 14.0.0.4651(f))
Gives warning, but allows bypass by user.

Chrome:
Gives no warning, users have to enable "Check for server certificate revocation" in options.(Disabled by default.)

Chromium 36.0.1939.0
Gives warning, denies access.

Firefox:
Gives warning, denies access.
FF forks Seamonkey, Pale Moon and Cyberfox: Gives warning, denies access.

Internet Explorer v?:
Gives warning, but allows bypass by user.
IE 11, Win 8.1 update 1, 64 bit enhanced protected mode enabled
Gives warning, denies access.

Maxthon 4.1.3.2000
Gives warning, but is a general warning, does not mention certificate has been revoked and allows bypass by user.

Opera 12.16:
Gives warning, denies access.

Opera 20:
Gives warning, denies access.

QupZilla 1.6.3
Gives no warning, no option to enable yourself

Safari:
Gives warning, but allows bypass by user.


Mobile

Android 4.1.1, Builtin browser
Gives no warning, no option to enable yourself
Android 4.1.1, Opera Mobile Classic 12.16
Gives warning, denies access.
Android 4.1.1, Zirco browser 0.4.4 browser
Gives no warning, no option to enable yourself

Android 4.3, Builtin browser
Gives no warning, no option to enable yourself
Android 4.3, Chrome 34
Gives no warning, no option to enable yourself
Android 4.3, Firefox 28
Gives warning, denies access.

Android 4.4.2, Firefox
Gives warning, denies access.

iOS 7.1, Chrome
Gives no warning, no option to enable yourself
iOS 7.1, Ghostery Browser
Gives no warning, no option to enable yourself
iOS 7.1, Mercury Browser
Gives no warning, no option to enable yourself
iOS 7.1, Safari
Gives no warning, no option to enable yourself
iOS 7.1, Webroot SecureWeb
Gives no warning, no option to enable yourself​

 

Certificate revocation: Why browsers remain affected by Heartbleed

 

I've been having problems in the past week with www.google.com and news.google.com when using "hard fail" browser settings.

 

Google Chrome protection for Heartbleed-hacked sites called “completely broken”

 

The case for “OCSP Must-Staple”

 

Reply from Google:
https://www.imperialviolet.org/2014/04/29/revocationagain.html

 

Just tested IE 11 with Enhanced Protected Mode enabled on W7-64: shows warning, does not allow bypass​

 

And now I know why: https://www.wilderssecurity.com/thr...csp_server_error-using-hard-fail-ocsp.364181/.

 

From Specific Implementations:

 

From the link in the last post:

 

Regarding post #44: That setting is indeed gone in the latest Chrome canary build, but it's not in the latest release version yet.

 

You can complain here.