Fraudulent SSL Certs & Revocation

I just read news that fake SSL certificates were issued by Comodo CA, but more interestingly, browser updates were issued to blacklist the certificates. Why this was necessary since we already have a protocol for doing just that?

I found out from this post on the torproject blog that talks about how OCSP is not properly implemented in browsers:

The browsers treat revocation errors as soft errors and a MITM is deadly for revocation. The browsers believe they have to treat them as soft errors because the CAs are failing to do their job properly and are almost entirely unaccountable.

Here’s how some other browsers fare when OCSP fails.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.