Firefox 37 Embraces New Certificate Revocation Techniques

Firefox 37 Embraces New Certificate Revocation Techniques

In 2014, Mozilla revealed their plans to put an end to the use of Online Certificate Status Protocol (OCSP) and to switch to OneCRL. Having in mind the importance of certificate revocation, Mozilla is now taking action and implementing the new feature in the last version of Firefox (37). Conceptually, ОneCRL’s are similar to Chrome’s CRLset, which can promptly block certificates in cases of security dangers.

The reason Mozilla is changing the course of OCSP is because it is not efficient enough for users. The novelty on Firefox 37 will help users by altering certificate revocation.

Revocation itself is a process of disproving a certificate before the day it expires. After the online revocation checking is done, the OCSP is used to determine whether the certificate is valid or not. Unfortunately, the OCSP statement is sound for a few days only.

What OneCRL does is improving revocation checking by creating a list of revoked certs and pushing it out to browsers. So far, OneCRL takes care of intermediate CA certificates, with EE certificates being next in Mozilla’s plan.

If a new certificate needs to be added to the list, the issuer should contact Mozilla and let them know that the certificate has to be revoked. The step is crucial not only from a security perspective, but it is also cost-efficient and user-friendly.

How does OneCRL Improve Blocklisting?

The Mozilla browser already has a mechanism that performs security checks, called blocklisting. How does OneCRL improve the well-known blocklisting? By adding the certificates in need of revocation to the list of errable add-ons and plugins. This action is beneficial for the user since they will not need to update or restart their browser.

Another improvement that OneCRL brings is speed because there is no need for OneCRL certificates to perform OCSP live checks. Thus, no latency occurs during the revocation checking. This fact is essential for EV certs since they require a positive OCSP reaction.

Switching to OneCRL, as stated by Mozilla, was based on bad history with Heartbleed and DigiNotar. Heartbleed is a serious vulnerability security bug in the OpenSSL cryptographic software library. DigiNotar is a Dutch certificate authority that bankrupted in 2011, due to forged issuing of certificates, caused by a security breach.

Replacing OCSP with OneCRL is the first of many improvements that Mozilla has in mind. Their next goal is automating the collection of revocation data.