[cabfpub] Short-Lived Certificate Ballot
sleevi at google.com
Mon Nov 2 12:43:55 MST 2015
On Mon, Nov 2, 2015 at 11:32 AM, Brian Smith <brian at briansmith.org> wrote:
> *How, what happens in a browser (maybe Microsoft's?) that actually
> supports the CRL DP extension?*
> 1. The user attempts to connect to https://example.com by starting the
> TLS handshake with the server it thinks is example.com.
> 2. The attacker intercepts the connection, and completes the TLS
> handshake, stapling the last GOOD response into the connection, using the
> (stolen) private key of the certificate he is using for the attack.
> 3. The user's browser sees that the certificate doesn't have any OCSP URL,
> and so attempts to download the CRL.
> 4. The attacker blocks the CRL download.
For what it's worth, this step is not necessary. An attacker is able to
obtain the fraudulent OCSP response (see BR 1.3.1 Sec 4.9.10 - OCSP SHALL
be provided for subscriber certs) and exploit the same stapling attack
vector to staple the GOOD response.
> 5. The user's browser gives up trying to check the certificate for
> revocation, and accepts the certificate.
> This is exactly the same as if the CRL DP extension were not present.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public