Target Group: SysAdmins, anyone interested in PKI
Focus: technical
Language: English
Abstract:
**********
Revocation of TLS certificates used by web browsers has been broken for years. Why is that, and can the newly proposed CRLite technology solve the problem?
About the Speaker:
*********************
Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.
Boost PC performance: How more available memory can improve productivity
SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser – this time for real? by Mathias Tausig
1. Klassifikation: Öffentlich
Welcome
to the SBA Live Academy
#bleibdaheim # remotelearning
Today: CRLite: Revocation for X.509 certificates in the browser
– this time for real?
by Mathias Tausig
This talk will be recorded as soon as the presentation starts!
Recording will end BEFORE the Q&A Session starts.
Please be sure to turn off your video in your control panel.
4. Klassifikation: Öffentlich 4
Revocation
• Problem only arose with asymmetric cryptography
• Subject creates public/private keypair
• Trusted Certification Authority signs keypair to create trust into the
ownership of it -> certificate
• Certificate valid for a limited amount of time
• Things can go wrong in that timeframe
o Broken algorithms
o Key compromise
o Organisational problems
o Misissued certificates
• -> Revocation tells the world that a certificate has become invalid
before its expiration date
SBA Research gGmbH, 2020
5. Klassifikation: Öffentlich 5
Revocation
• Certificate Revocation List (CRL)
o List of all revoked certificates for that CA
o Too large to be downloaded on every HTTPS connection (MBs)
• Online Certificate Status Protocol (OCSP)
o Query status of a single relevant certificate
o Privacy concerns
o Hard failure vs. soft failure (= Single point of failure vs. useless)
o Very resource intensive (Comodo 2013: 2.000.000.000
requests/day)
SBA Research gGmbH, 2020
6. Klassifikation: Öffentlich 6
Revocation
• OCSP Stapling
o Server queries OCSP response, sends it with the TLS
handshake to the client
o Server can simply hold back OCSP response with
revocation information
o Bad implementations in web servers
• OCSP Must-Staple
o Certificate extension indicating that the certificate is
only valid in conjunction with a stapled OCSP response
o Again: Bad or incomplete support. Hardly used
SBA Research gGmbH, 2020
7. Klassifikation: Öffentlich 7
Revocation Workarounds
• OneCRL/CRLSet/…
o Browser vendor compiles a list of revoked certificates, pushes it directly to
the browser
o Does not scale, only usable for high value domains
• Short lived certificates
o The shorter a certificate’s lifespan, the shorter the period a compromised
key can be exploited
o TLS certificates were originally valid for up to 5 years
o Maximum lifetime of 2 years since 2018
o Ballot to reduce it to 1 year fails in CA/B forum 2019; unilateral push by
Apple announced in 2020
o Let’s Encrypt: 3 month
SBA Research gGmbH, 2020
8. Klassifikation: Öffentlich 8
Summary
Revocation for the WebPKI is weird …
• Most complicated part of operating a CA (legal &
standard requirements)
• Currently mostly broken & unused
• Consumes a lot of effort, yes not really important
SBA Research gGmbH, 2020
10. Klassifikation: Öffentlich 10
CRLite
Overview
• Proposed by Larisch, Choffnes et.al. at IEEE S&P
2017 (Universities & Akamai)
• Compile a list of all revocations like OneCRL
• Store it efficiently by using Cascading Bloom
Filters
SBA Research gGmbH, 2020
11. Klassifikation: Öffentlich 11
Bloom Filter
• Extremely fast and storage efficient data index
• Data can only be added to the filter
• User can query if some data is in the filter
o „Object not in the filter“
o „Object probably in the filter“
• Probabilistic Data Structure
• False positive probabililty depends on filter size,
configuration and number of entries
SBA Research gGmbH, 2020
12. Klassifikation: Öffentlich 12
CRLite
Workflow
• Download all CRLs
• Store unique certificate identifier (hash of public key +
serial number) of all revoked certificates in Bloom filter
• Check for false positives in the filter
o Download all certificates from certificate transparency
logs
• Store false positives in a second, much smaller, cascading
bloom filter
• Continue until no false positives are left
• Push filter to browser
SBA Research gGmbH, 2020
13. Klassifikation: Öffentlich 13
CRLite at Mozilla
• Activated in Firefox Nightly (only for telemetry)
• Filter compiled 4 times a day
• Covers 100M of 152M certificates, 750k revocations
o Missing: CRL errors, CAs without a CRL (Let‘s Encrypt!)
• Filter generation takes ~1h; requires 16GB memory
and 7GB storage
• Filter size: 1,3MB
• Faster than OCSP 99% of cases
SBA Research gGmbH, 2020
15. Klassifikation: Öffentlich 15
Key take-aways
1. Certificate revocation in the browser is currently
broken
2. Pushing lists of revoked certificates to the
browser is the only thing that works
3. Bloom filters allow extremely compact storage
4. Certificate transparency necessary enabling
technology
SBA Research gGmbH, 2020
16. Klassifikation: Öffentlich 16
Mathias Tausig
SBA Research gGmbH
Floragasse 7, 1040 Wien
+43 1 5053688 1512
mtausig@sba-research.org
SBA Research gGmbH, 2020
17. Klassifikation: Öffentlich 17
Professional Services
Penetration Testing
Architecture Reviews
Security Audit
Security Trainings
Incident Response Readiness
ISMS & ISO 27001 Consulting
Bridging Science and Industry
Applied Research
Industrial Security | IIoT Security |
Mathematics for Security Research |
Machine Learning | Blockchain | Network
Security | Sustainable Software Systems |
Usable Security
SBA Research
Knowledge Transfer
SBA Live Academy | sec4dev | Trainings |
Events | Teaching | sbaPRIME
Contact us: anfragen@sba-research.org