Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange

From: "Larry Seltzer" <larry () larryseltzer com>
Date: Mon, 26 May 2008 09:15:22 -0400
No, CRLs don't work. Firefox for example does not check for CRLs
(default setting), making certificate revocation senseless. I

assume,

other Browsers don't check CRLs either. And what about the german



That is indeed a problem. AFAIK IE 7 on Vista now does some CRL

checking

by default, but I haven't tried it yet.


I did some research on this recently, and the story for browser support
is actually much more complicated. In addition to CRLs there is a
protocol called OCSP for checking the status of a specific certificate
by serial number.

        * Internet Explorer 6 and Internet Explorer 7 on Windows XP
support CRL checking but default to not using it. 
        * Firefox 1 and 2 support both OCSP and CRL, but default to
using CRL. 
        * Internet Explorer 7 on Vista and Firefox 3 support both OCSP
and CRL and default to using OCSP. Opera 8.5 and later supports only
OCSP and uses it by default.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: