Professional Documents
Culture Documents
Emin Topalovic∗ , Brennan Saeta∗ , Lin-Shung Huang† , Collin Jackson† and Dan Boneh∗
∗ Stanford University, {emint, saeta, dabo}@cs.stanford.edu
† Carnegie Mellon University, {linshung.huang, collin.jackson}@sv.cmu.edu
Abstract—The Online Certificate Status Protocol (OCSP) is as on its clients. For space considerations, their global CRL is
good as dead. It imposes a massive performance penalty on not exhaustive, and can exclude the revocations that happen
web traffic and has failed to mitigate the recent high-profile for purely administrative reasons. Network filtering attacks
certificate security breaches of certificate authorities. Citing these
fundamental protocol flaws, Google Chrome, one of the world’s that block updates are still possible, but would require con-
most popular browsers, is permanently disabling OCSP and stant blocking from the time of revocation. Google’s decision
taking direct ownership over certificate revocation. We will soon is mainly due to the ineffectiveness of soft-fail revocation
be living in a post-OCSP world where Google has become a checks, and also the obvious costs in performance and user
single point of failure for certificate validation. We argue that privacy [6].
certificate authorities should reassert control over the certificate
revocation process by issuing certificates with a very short While revocation by software updates may work well for
lifetime. These certificates complement browser-based revocation
Chrome, it can be quite difficult on a number of platforms
by allowing certificate authorities to revoke certificates without
the cooperation of browser vendors, and without imposing a such as smartphones, where issuing a software update in-
performance penalty on web traffic. volves multiple entities and can take many months until wide
deployment. Even now several smartphone vendors have not
We have implemented a prototype certificate authority and
certificate update plugin for Apache that demonstrates feasibility yet issued software updates to block DigiNotar certificates.
of short-lived certificates. We have also implemented client-side Revocation by software update takes control of revocation out
pinning to short-lived certificates in the Chromium browser. Fi- of the hands of the CAs where it naturally belongs and puts it
nally, we show that short-lived certificates complement browser- in the hands of software and hardware vendors who may have
based revocation and address its major limitations; the two less of an incentive to issue a software update every time a
mechanisms can be combined to achieve secure, performant, and
backwards-compatible browsing experience on the web. certificate is revoked.
IV. I MPLEMENTATION
c) Client-Side Pinning: We implemented a prototype of As mentioned in Section I, Google has announced plans to
client-side pinning for short-lived certificate in Chromium disable OCSP checks completely. Instead, Chrome will reuse
(using revision 61348). Since Chromium utilizes the system its existing software update mechanism to maintain a list of
cryptography libraries on each platform [24] to handle cer- revoked certificates on its clients.
tificate verification, we implemented our code as a platform-
1) Advantages: In the case of certificate misissuances during
independent function in the browser above the cryptography
CA incidents, Google could push out new CRLs that will block
libraries, instead of modifying a specific library such as
the fraudulently issued certificates on the clients in less than a
NSS. We reused the existing transport security state code
daily time frame. Due to using software updates, this approach
in Chromium (for HSTS and public key pinning) to store
even has the ability to remove the misbehaving root certifi-
our short-lived certificate pins persistently. Our patch for
cates. Browser-based CRLs are updated periodically and not
Chromium is available online [25].
fetched at the time connecting a site, thus there is no additional
latency during page load, nor privacy concerns of tracking
the user’s browsing history. Further, network filtering attacks
1 It is reasonable for a large site using Apache to use short-lived certificates.
become more difficult, an attacker would have to consistently
Apache can restart gracefully with no noticeable impact to end users as our block software updates from the time of revocation, instead of
benchmarking has shown. only at the time of visit.
TABLE I
C OMPARISON OF C ERTIFICATE R EVOCATION A PPROACHES
Chrome’s CRL Hard-Fail OCSP Short-Lived Certificates Chrome’s CRL +
Short-Lived Certificates
Untrust Rogue Root CAs 3 7 7 3
Revoke Misissued Certificates 3 3 3 3
Revoke Benign Certificates 7 3 3 3
Support Captive Portals 3 7 3 3
Avoid Page Load Delay 3 7 3 3
Avoid User Tracking 3 7 3 3
Avoid Single Point of Failure 7 7 7 3
Support Legacy Clients 7 7 3 7
2) Disadvantages: Due to space considerations of maintaining attacker could have easily generated a valid OCSP response
a global CRL, Google will not support a vast amount of with a far expiration date. Clients would need software updates
revocations that are due to administrative reasons. Should to untrust the bad root certificate.
OCSP be disabled, certificate authorities lose control over
revocation, therefore unable to revoke certificates for billing, C. Short-Lived Certificates
re-issuance, or other benign reasons. Google has become a
single point of failure for certificate revocation. We described the approach of using short-lived certificates in
Section III. In short, to revoke a certificate, the CA simply
Another major disadvantage of this approach is that legacy
stops reissuing new certificates, as any old certificates either
clients are currently not supported, such as mobile devices
must have expired, or would expire shortly.
and other browsers. Google may want to provide their global
CRLs as a public service for other browsers and applications, 1) Advantages: By default, certificate expiration is always
in a way similar to their Safe Browsing API [26]. strictly validated on clients. All major browsers check for the
validity period of certificates and present alerts to users when
B. Hard-Fail OCSP encountering expired certificates. No modifications on clients
are required, thus will work on all platforms and devices
In attempt to fix the ineffectiveness of OCSP under existing without updates.
CA infrastructures, some security researchers as well as CAs
In the event of a key compromise or fraudulent issuance of
have suggested clients enforce hard-fail OCSP. Some browsers
site certificates, with short-lived certificates, the CA simply
do allow users to opt-in to hard-fail for revocation checks, but
stops renewing the certificate for revocation. The window of
this must be turned on by default to be effective.
vulnerability will be bounded by the short validity period,
1) Advantages: Unarguably, the security of a hard-fail OCSP which should be no more than a few days. We note that short-
is better than existing soft-fail mechanisms. Unlike new lived certificates can potentially help if supposedly a large CA
browser-based CRL proposals, this approach supports the (e.g. VeriSign) is hacked — the too big to fail problem. In
existing revocation infrastructure managed by CAs. that case, there will be a need to revoke the stolen certificates.
Short-lived certificates can make that easier.
2) Disadvantages: Unfortunately, there are legitimate reasons
why browsers refuse to simply turn on hard-fail OCSP. For Unlike OCSP, user’s browsing habits are not reported to any
example, users may need to log in to captive portals of third parties when short-lived certificates are used. Further,
WiFi hotspots where the login page is protected by SSL. this approach does not require additional round-trips to a
Often, the HTTP traffic is blocked, including OCSP, and SSL connection setup, as browsers do not need to verify the
will cause certificate validation to timeout. If hard-fail OCSP certificate status with an OCSP responder.
was implemented, users will not be able to connect to many
Since short-lived certificates are regular certificates, they can
WiFi hotspots, even though they are probably not under
be chained in exactly the same manner as the existing deploy-
attack.
ment of X.509 certificates. This allows websites, and even
Also, this approach shares many disadvantages of existing intermediate certificate authorities, to incrementally deploy
OCSP approach, including the ability for third party to track and take advantage of short-lived certificates, without a large
the user’s browsing history. Further, clients may suffer sig- migration, or infrastructure change.
nificant connection latency due to OCSP queries, which even
2) Disadvantages: Although short-lived certificates cannot
worse may discourage sites on adopting SSL. Whenever an
solve the problem of a root CA compromise (neither does
OCSP responder goes down, all sites that use their certificates
hard-fail OCSP), it does improve the security of intermediate
will go down as well.
certificates that are short-lived. In on-demand mode, the fact
In the case where a Root CA has been completely com- that the certificate authorities are online increases the risk
promised, OCSP does not provide any protection since the of the CA’s key being stolen and fraud certificates being
generated. This is less of an issue with the pre-signed mode the maximum security without the obvious shortcomings of
where certificates are signed by an offline CA in batches, OCSP.
allowing the key to be kept safe and isolated from the online
servers. However, signing in batches implies that a CA break- VI. R ELATED W ORK
in will provide the attacker with a larger pool of pre-signed
certificates and thus a longer time during which they can A. OCSP Stapling
masquerade as the certificate owners. Fortunately, this only
An update to OCSP is OCSP stapling, where the web server
hinders security if the attackers have also compromised a
itself requests OCSP validation which it passes on the response
client’s private key.
to inquiring clients. Stapling removes the latency involved
One possible issue that could be raised is the fact that if a with OCSP validation because the client does not need an
CA falls under DDoS attacks, servers can not get updated additional round trip to communicate with the OCSP responder
certificates and are thus forced into service outage as soon to check the certificate’s validity. This also removes the privacy
as their certificates expire. This requires that the attacker is concern of OCSP because the responder does not have access
able to take down the CA consistently for at least a few days. to knowledge about a web site’s visitors. Unfortunately this
Fortunately, there are many mitigations. One approach for CAs is not widely implemented, only 3% of servers support OCSP
is to filter traffic based on IP, only allowing well-known cus- stapling [27]. Also, current implementations do not support
tomer IPs through. If using pre-signed mode, the distribution stapling multiple OCSP responses for the chained intermediate
of certificates can further be handled by third-party distributors certificates [11]. Further, we note that users are still prone to
that specialize in handling DDoS-level traffic. attacks if clients do not implement hard-fail OCSP stapling
(and pin the status of whether a site uses OCSP stapling).
We note that deploying short-lived certificates might cause In contrast, short-lived certificates essentially fail closed on
errors on clients whose clocks are badly out of sync (e.g. existing clients without modifications.
off by a week). It is recommended that clients should sync
their clocks periodically, which is critical for preventing replay B. DANE
attacks.
A recent proposal called DNS-based Authentication of Named
Entities (DANE) [28] allows the domain operator to sign cer-
D. Short-Lived Certificates with Chrome’s CRL
tificates for sites on its domain, without trusting external CAs.
By distributing certificates via DNS records [29], certificates
Lastly, we consider a hybrid approach of using short-lived
can be cached on DNS servers, reducing the connection round
certificates in cooperation with Chrome’s CRL. First of all, by
trip time while protecting the client’s privacy. Most impor-
issuing short-lived certificates, CAs immediately regain control
tantly, this approach avoids the danger of an untrustworthy CA
of certificate revocation that was disabled by Chrome. Once
being able to issue valid certificates for any domain (given that
CAs start to issue short-lived certificates for sites (as well as
typically hundreds of CAs are pre-installed on clients). There
intermediate CAs), these sites will benefit from the improved
are other DNS-related proposals that still involve trust in CA,
security. In the event of keys being stolen or certificates being
such as publishing OCSP responses over DNS, or providing
misissued, short-lived certificates ensures a shorter window of
an exclusion list of certificates in DNS [30], reducing the
vulnerability by warnings on expiration.
dependence on the availability of OCSP responders. However,
In addition, Chrome’s CRL complements nicely with short- these approaches rely on DNSSEC [31] to prevent forgery and
lived certificates. With short-lived certificates alone, we men- modification, which has not been deployed broadly. Another
tioned that users may still be vulnerable in the worst case, concern is that the trusted domain operator (like a CA) may
when a root certificate is deemed untrustworthy. Now that be compelled by a state actor to issue false certificates.
browser-based CRLs provide protection against CA incidents,
the combination of these two approaches allows a full spec- C. Public Key Pinning
trum of revocation (on supporting browsers). Browser vendors
will be able to revoke fraudulent certificates and rogue CAs, Google Chrome implements public key pinning [19] for a pre-
while CAs may control administrative revocations for benign loaded list of HTTPS sites. Basically, those HTTPS sites must
certificates. include a whitelisted, or pinned, public key in their certificate
chain, otherwise it will be treated as fatal error. Public key
This hybrid approach does not have the client side perfor- pinning address attacks where a trusted CA is compromised
mance or privacy issues caused by OCSP, and does not (or compelled by a state actor [32]), whenever the client sees
block users behind captive portals. In contrast, we note that a valid certificate that was fraudulently issued by a rogue
using hard-fail OCSP along with Chrome’s CRL would still CA (not within the preloaded whitelist). This approach may
suffer the compatibility issues with captive portals, as well as be more suitable for a small number of large, high security
page load delay and privacy issues. Given Chrome’s CRL in sites, but less practical for the majority HTTPS sites on the
place, we suggest that adopting short-lived certificates gives web.
D. Google Certificate Catalog R EFERENCES