[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal

Ryan Hurst ryan.hurst at globalsign.com
Sat Mar 23 00:07:29 MST 2013


I agree with Ryan -- the risk here is exactly the same.

Ryan Hurst
Chief Technology Officer
GMO Globalsign

twitter: @rmhrisk
email: ryan.hurst at globalsign.com
phone: 206-650-7926

Sent from my phone, please forgive the brevity.

On Mar 23, 2013, at 12:04 AM, Ryan Sleevi <sleevi at google.com> wrote:

> 
> On Mar 22, 2013 11:30 PM, "Eddy Nigg (StartCom Ltd.)" <eddy_nigg at startcom.org> wrote:
> >
> >
> > On 03/23/2013 02:44 AM, From Ryan Sleevi:
> >>
> >>
> >> If the browser has obtained a valid OCSP response (eg: via OCSP stapling), they can skip obtaining fresh revocation information - because to every compliant implementation, it IS fresh revocation information.
> >
> >
> > Let me help you thinking here....in this case there was at least ONE OCSP check done, whereas in your case it's NONE.
> >
> 
> Eddy, there was one check done.
> 
> By the attacker, who then stapled the response to their server. And now every OCSP stapling supporting client *won't* perform their own check. Because that is exactly how stapling is supposed to work.
> 
> The disconnect here seems to be the assumption that every client will check OCSP at least once, so that the CAs revocation is meaningful. They won't. They will use the stapled, outdated response. So the client will see the cert as valid until the response expires - at which point the attacker is forced to get a new response (which says revoked), or they stop stapling and clients do OCSP themselves and see its revoked.
> 
> But that 7 day window *always* exists for *any* CA supporting OCSP, *regardless* of how new the cert is.
> 
> > For an attack to be successful you can't rely on the possibility that A) the victim has visited the site beforehand and B) nothing happened to the cache and C) the software being used doesn't check OCSP again. This isn't a reliable attack and too risky of being detected early.
> 
> No. The attacking server just staples a previously obtained, still time valid OCSP response. No prior visit needed.
> 
> >
> > What you propose is the perfect attack with no chance to intervene, very reliably for 7 days. Usually more than enough for the target.
> 
> And this is the *exact* same attack of OCSP stapling. Which is core to the feature.
> 
> >
> > Regards 
> >  
> > Signer: 
> > Eddy Nigg, COO/CTO
> >  
> > StartCom Ltd.
> > XMPP: 
> > startcom at startcom.org
> > Blog: 
> > Join the Revolution!
> > Twitter: 
> > Follow Me
> >  
> >
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
> >
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130323/17eac035/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2098 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130323/17eac035/attachment-0001.bin 


More information about the Public mailing list