It seems somehow strange that the vast majority of 'secure' connections still completely ignore what were developed as industry standards to ensure security in favour of creating their own solutions but that is the world a security professional lives in. The basic design of OCSP does carry with it a lot of extra bandwidth usage and while maintaining a time limited local cache, referred to as stapling, would ameliorate this your TLS connection is not likely to support that solution. Instead of fixing the root cause and utilizing existing standards it would seem that Firefox 37 will start a brand new solution, maintaining a list of revoked certificates ironically called OneCRL which will be pushed out to Firefox users, duplicating the CRLSet which Chrome has already developed and maintains.
This is good for the end user in that it does add security to their browsing session but for those truly worried about attempting to make the net a safer place it offers yet another list to keep track of and for attackers yet another vector of attack. At some point we will have to stop referring to standards when referencing networking technology. Pour through the links on the Slashdot post and read through the comments to share in the frustration or to familiarize yourself with these concepts if the acronyms are unfamiliar.
"The next version of Firefox will roll out a 'pushed' blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet, but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser."
Here is some more Tech News from around the web:
- Socketed Intel desktop Broadwell coming mid-year @ The Tech Report
- Apple: We could expose our WHOPPING 12 INCH iPad – but it's not real @ The Register
- The Intel / iPro LIVEPAD 8.9 Face To Face Event @ Tech ARP
- Samsung-Microsoft deal will bundle Office 365 with Android Knox @ The Register
- D-Link removes fingers from ears, preps mass router patch @ The Register
- HyperX Announces New FURY DDR4 Memory and Extends High-capacity Predator DDR4 Kits @ Modders-Inc
- IBM mixes with AlchemyAPI to bring deep learning to Watson @ The Inquirer
And I just got OCSP stapling
And I just got OCSP stapling working on httpd.
Cheers to you!
Cheers to you!