[SSL Observatory] State of SSL-brokenness: Google wants to disable CRL/OCSP

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Feb 9 05:43:08 PST 2012 

Hanno =?ISO-8859-1?B?QvZjaw==?= <hanno at hboeck.de> writes:

>Seems google noted that using OCSP and not rejecting certificates on
>connection failure doesn't make much sense:
>http://www.imperialviolet.org/2012/02/05/crlsets.html
>
>So they decided that they'll probably disable OCSP altogether. Not sure what
>I should think of it (seriously, they're probably right to disable something
>that is broken anyway).

Good to see some common sense finally prevailing in this.  I did a lengthy
analysis of it some time ago:

  What the addition of [OCSP] has done is make the system considerably more
  brittle, reducing its reliability to the lowest common denominator of the
  web server and the OCSP server, as shown in Figure 123.  Recognising this,
  both MSIE 7 and Opera 9 allowed a connection to a site if the corresponding
  OCSP server couldn.t be contacted while Firefox 2 disallowed the connection
  with an incomprehensible OCSP error message. Predictably, the OCSP error was
  seen by users to mean that the site was down, leading to OCSP-induced
  apparent outages of major services like FedEx [ ] .  Mozilla later changed
  Firefox. behaviour to ignore problems that occurred when communicating with
  OCSP responders, acknowledging the fact that .breaking web sites because of
  the unreliability of an OCSP responder is worse [than any security
  consequences]. [ ].

  While we.ve learned to make web servers extremely reliable, we haven.t yet
  done the same for OCSP servers (not helped by the fact that at the time of
  writing no major CA appears to provide for backup OCSP servers in its
  certificates, making the sole OCSP server the single point of failure no
  matter how replicated and redundant the web server or other resource that
  it.s required for might be), and it.s unlikely that there.ll ever be much
  evolutionary pressure to give them the same level of reliability and
  performance that web servers enjoy.  In fact things seem to be going very
  much in the opposite direction: since the OCSP protocol is inherently non-
  scalable, a recent performance .enhancement. was to remove protection
  against man-in-the-middle attacks, making it possible for a server (or an
  attacker) to replay an old response instead of having to generate a new one
  that reflects the true state of the certificate [ ].

(that's just a portion of it) which concluded that it had, at best, a 
questionable impact on security, but a very measurable negative impact on 
availability.  So what Google has done makes perfect sense.  As Ian Grigg put 
it during the Diginotar meltdown, "revocation only works when you don't need 
it".

Peter.

More information about the Observatory mailing list