Revoked certs not showing as revoked in browsers


#1

I’ve revoked a certificate, but browsers still show it as fine. SSL labs check does show it revoked, but what’s the point in revoking a certificate if browsers don’t notice?

Apols if this is a stupid question, I’m not completely new to certificate mgmt but realise there’s lots I don’t know.


[Poll] Do we need longer cert validity times?
#2

Your browser may have a valid OCSP response in cache. There are valid up to 4 days so I guess that after at most 4 days your cert will appear as revoked in browsers (assuming browsers support and check OCSP)


#3

Google chrome seems to ignore completely OCSP and, according to http://www.zdnet.com/article/chrome-does-certificate-revocation-better/ google compile and push CRL to chrome via updates.

As Letsencrypt only do OCSP and do not have (to my knowledge) a CRL (Certificate revocation list) I wonder how letsencrypt revocation can work on google chrome. It would be nice to have an answer from letsencrypt staff ^^.


#4

Client side OCSP is a privacy risk. Chrome for example has it disabled (@Nit: it doesn’t “ignore” the OCSP reply, it just doesn’t query at all).

The right method of using OCSP is OCSP stapling. That way, there’s no privacy risk for the client.

More usefull info: Mozilla blog about revocation and OCSP


#5

That’s what I mean by ignore. But anyway, wrong choose of words, my bad.

I am still interested by knowing how letsencrypt revocation can work with chrome, without OCSP stapling, which won’t be used by an attacker if the private key leaked.


#6

Note (to myself) that this can be fix then support for Must-Staple / TLS-Feature will be deployed to the production boulder (An letsencrypt client option could also be added to ease deployment of this cert extension).


#7

As far as I know: not.

[quote=“Nit, post:6, topic:11531”]
Note (to myself) that this can be fix then support for Must-Staple / TLS-Feature will be deployed to the production boulder (An letsencrypt client option could also be added to ease deployment of this cert extension).[/quote]

Unfortunately, browser support for Must-Staple is quite premature… Firefox has the feature in the development version (45), but that version isn’t stable yet… Chrome doesn’t have support at all. I don’t know about other browsers.