Hacker News new | ask | show | jobs
by yourabi 4255 days ago
Yep - getting this right is hard.

Couple of points about the article.

Browsers verify SSL certificates for revocation (OCSP). This is an ongoing service that has a direct impact on latency - so SSL is an ongoing service very much like DNS. However, most people don't realize this.

Also you send in a CSR - certificate signing request - not CRT (which is usually short-hand for certificate).

Also it gets worse - A recent OpenSSL vulnerability would still allow SSLv3 even if it was configured with "no-ssl3": https://www.openssl.org/news/secadv_20141015.txt

This is why I built https://snitch.io - security and SSL secured sites in particular are moving targets and not "fire and forget". You really need an external process monitoring and auditing your secured site.
2 comments
function_seven 4255 days ago
> Browsers verify SSL certificates for revocation (OCSP). This is an ongoing service that has a direct impact on latency - so SSL is an ongoing service very much like DNS. However, most people don't realize this.

Inconsistently and sporadically, it seems: http://news.netcraft.com/archives/2014/04/24/certificate-rev...

That article is a few months old though. Have Firefox/Chrome changed their tune due to Heartbleed?

link
yourabi 4255 days ago
Not really inconsistently. Firefox, Safari and IE all do this. Firefox, for example, will wait up to 10 seconds for an OCSP response (https://wiki.mozilla.org/CA:ImprovingRevocation)

That article cites Adam Langley - a respected engineer at Google who has worked on Chrome and parts of Go. Chrome is wildly lax with certificate revocation. Don't believe me? Browse to https://revoked.grc.com from Chrome. It is true that if someone can MITM they can block CRL/OCSP requests...but browsers (including Chrome) made the choice of 'soft-failing' and thus making it an attack vector. OCSP stapling and the proposed "OCSP Must-Staple" (https://tools.ietf.org/html/draft-hallambaker-muststaple-00) solve this problem. With all due respect to Adam, it seems a little peculiar to say revocation checks don't work when they're broken by design in the browser he worked/works on.

Chrome is the only browser that skips revocation checks for DV certificates but it still does OCSP for EV certs. Chrome has the concept of CRLsets - but these have been shown to only capture a very small portion (<1%) of revoked certificates.

Firefox has the option to hard-fail if the OCSP request isn't verified. This should be the default behavior, but the fear is that too few people understand this and would migrate to another browser if SSL secured sites randomly failed to load sometimes. Note: this is vastly preferable, in my opinion, to loading a site with a certificate of unknown status.

link
jtokoph 4255 days ago
Re: snitch.io

Have you considered somehow providing a demo of what I might see for my domain?

link
yourabi 4255 days ago
Hi!

The screenshots show you what the app looks like. And to your point all accounts come with a free 14-day trial.

I may eventually add a free "one-off" audit - but the value in a service like Snitch is that something is constantly monitoring and alerting.

Happy to answer any other questions - you can email me anytime. This username at gmail or currylabs.com

link