Cyber Security

Let’s Encrypt builds infrastructure to support browser-based certificate revocation revival

Certificate authority Let’s Encrypt has announced plans to establish a platform that will support the revocation of digital certificates via Certificate Revocation Lists (CRLs).

The CRL approach to disavowing compromised digital identities was established many years ago but has largely phased been out over the last decade or more in favor of the Online Certificate Status Protocol (OCSP), owing to its burdensome impact on performance.

CRLs are comprehensive lists of digital certificates that have been revoked by a certificate authority (CA) before their expiration date, whereas the OSCP enables browsers to consult the CA’s OCSP service over a specific certificate’s status.

Back in vogue

The CRL approach has recently become fashionable again – like listening to albums on vinyl – thanks to recent browser security updates.

“By collecting and summarizing CRLs for their users, browsers are making reliable revocation of certificates a reality, improving both security and privacy on the web,” Let’s Encrypt explains in a blog post explaining how it is establishing an infrastructure to better support CRL-based digital certificate revocation.

Certificates put the ’S’ – security – into HTTPS. Unless a workable certificate revocation system is in place, there’s no remediation for a website owner in cases where an attacker steals the digital certificate of their website.

Without revocation, the compromised credential remains valid until it automatically expires at the end of its lease – most often years after the initial attack.

This undesirable situation is a direct result of the shortcomings in the revocation process that Let’s Encrypt is seeking to address. Powered by changes in browser software and support by Let’s Encrypt, the rejuvenated CRL approach promises an effective mechanism to revoke web certificates once their legitimate owners realize they have been either leaked or stolen – a sadly not infrequent problem.

Digital certificate revocation is therefore less about setting up a secure website in the first place, and more about making your website secure again after it’s been hacked.

The Daily Swig asked Let’s Encrypt to comment on whether it was seeking to encourage wider adoption of this approach by other CAs or through standards bodies, among other questions.

No word back as yet, but we’ll update this story as and when more information comes to hand.

In a Twitter thread, web security expert Scott Helme analyzed the merits and potential drawbacks of Let’s Encrypt’s move and the wider advantages and trade-offs inherent in the browser-based CRL approach.

Source: https://portswigger.net/daily-swig/lets-encrypt-builds-infrastructure-to-support-browser-based-certificate-revocation-revival

Click to comment

You May Also Like

Cyber Security

The protocols SSL (Secure Sockets Layer) and TLS (Transport Layer Security), are used to create secure connections between networked computers. The terms “SSL” or...

Cyber Security

Security shortcomings mean that multiple password managers could be tricked into auto-filling credentials on untrusted pages, security researchers at Google warn. The team from Google went...

Cyber Security

Tesla is one of several organizations to remedy cross-origin resource sharing (CORS) misconfigurations after security researchers proved they could exfiltrate data from the carmaker’s internal network....

Cyber Security

Germany is mandating the use of secure, modern web browsers across government networks with a proposal for minimum standards currently open to consultation. The...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version