[cabfpub] Short-Lived Certificate Ballot

Ryan Sleevi sleevi at google.com
Mon Nov 2 19:43:55 UTC 2015

On Mon, Nov 2, 2015 at 11:32 AM, Brian Smith <brian at briansmith.org> wrote:

> *How, what happens in a browser (maybe Microsoft's?) that actually
> supports the CRL DP extension?*
> 1. The user attempts to connect to https://example.com by starting the
> TLS handshake with the server it thinks is example.com.
> 2. The attacker intercepts the connection, and completes the TLS
> handshake, stapling the last GOOD response into the connection, using the
> (stolen) private key of the certificate he is using for the attack.
> 3. The user's browser sees that the certificate doesn't have any OCSP URL,
> and so attempts to download the CRL.
> 4. The attacker blocks the CRL download.

For what it's worth, this step is not necessary. An attacker is able to
obtain the fraudulent OCSP response (see BR 1.3.1 Sec 4.9.10 - OCSP SHALL
be provided for subscriber certs) and exploit the same stapling attack
vector to staple the GOOD response.

> 5. The user's browser gives up trying to check the certificate for
> revocation, and accepts the certificate.
> This is exactly the same as if the CRL DP extension were not present.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151102/490e1948/attachment-0003.html>

More information about the Public mailing list