Skip to content ↓ | Skip to navigation ↓


header-logo.3a1dbd13f2aeEarlier this week, Mozilla announced the introduction of a new feature in Firefox 37 that will help protect users by revoking intermediate certificates.

The new mechanism would come as a significant improvement from OCSP (online certificate status protocol), which the browser currently uses to check the status of a certificate.

“For online revocation checks, either you have a system that fails open or you accept the performance penalty of checks that are more strict (as is the case for EV certificates),” explained Mozilla security engineer Mark Goodwin.

“OCSP stapling can remove the need for live revocation checks, but currently, only around 9% of TLS connections use it.”

With OneCRL, the revocation checking process would be much faster, as the feature would maintain a centralized lists of revoked certificates that would be pushed out to browsers.

“Currently, if a serious incident occurs that requires certificates to be revoked, we release an update to Firefox to address the problem,” said Goodwin.

This process is not only slow but also costly, Goodwin added, as users are then required to install the update and restart the application.

Although Firefox’s blocklisting mechanism already performs periodic scans for harmful plugins, add-ons or third-party software, OneCRL extends this capability to include certificates that should be revoked, without users having to update or refresh their browsers.

Goodwin notes that as of now, OneCRL only covers CA intermediate certificates for the purpose of limiting the size of the blocklist.

“The initial version of OneCRL that we have today is an important step,” said Goodwin.

“It will speed up revocation checking, especially for sites that use EV certificates. But we’re not done yet. We’re working on scaling up OneCRL so that its benefits apply more broadly, and on automating the collection of revocation information so that it gets to browsers more quickly.”

Following Lenovo’s recent Superfish debacle and other issues around trusting certificates, security experts note this will be a convenient feature to integrate into the browser.

“Instead of forcing users to update their entire browser, the ability to dynamically update trusted certificates helps remediate this challenge and ensure untrusted certificates are flagged in near real-time,” said Westin.

Firefox 37 is set to release March 31, 2015.


10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • It seems like a no-brainer, utterly simple feature. Why only now?

  • Paul

    Erm. The last firefox update I installed meant I couldnt access my normal sites without a security exception coming up. I mean even bog standard sites like The National Lottery. So, unfortunately, I'm now using Safari. I know several people that have binned it too. If you cant access sites, whats the point?

  • Mr James

    Paul i think you are right about using Safari after what I found out today.

    I have well gone off Firefox after finding that the android version without any plugins is listening in to DLNA broacast messages from devices like XBoxes and Samsung Smart TVs and then making a UPNP request to the devices to recive XML data back from these devices.

    In my case this not only includes the make and model of the TV but also the serial number and its not like my simple android device can stream to the TV or play XBox games.

    I know Google pays Firefox $50m a year and they don't do that without getting something in return as you can see if you type About:config into the URL and search for Google but I will not put up with Firefox hacking my local area network to then upload all the device data back to central server.

    Shown below is both the request and reply I captured with some of the data replaced using XXX and I also had to tweak the HTML tags in the XML so it would post.

    GET /smp_24_ hxxp/1.1
    Host: X.X.X.40:7676
    User-Agent: Mozilla/5.0 (Android; Tablet; rv:36.0) Gecko/36.0 Firefox/36.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive

    hxxp/1.1 200 OK
    CONTENT-TYPE: text/xml; charset="utf-8"
    Date: Thu, 01 Jan 1970 03:59:18 GMT
    connection: close
    Application-URL: hxxp://X.XX.40:80/ws/app/
    SERVER: SHP, UPnP/1.0, Samsung UPnP SDK/1.0

    [?xml version="1.0"?][root xmlns='urn:schemas-upnp-org:device-1-0' xmlns:sec='hxxp://' xmlns:dlna='urn:schemas-dlna-org:device-1-0'] [specVersion] [major]1[/major] [minor]0[/minor] [/specVersion] [device] [deviceType]urn:dial-multiscreen-org:device:dialreceiver:1[/deviceType] [friendlyName][TV]Samsung50[/friendlyName] [manufacturer]Samsung Electronics[/manufacturer] [manufacturerURL]hxxp://[/manufacturerURL] [modelDescription]Samsung TV NS[/modelDescription] [modelName]XXX9200[/modelName] [modelNumber]1.0[/modelNumber] [modelURL]hxxp://[/modelURL] [serialNumber]XXXXXXXXXX[/serialNumber] [UDN]uuid:0dbXXXXXXXXXXXX[/UDN] [sec:deviceID]XXXXXXOMKVUK[/sec:deviceID] [sec:ProductCap]Resolution:1280X720,Y2013[/sec:ProductCap] [serviceList] [service] [serviceType]urn:dial-multiscreen-org:service:dial:1[/serviceType] [serviceId]urn:dial-multiscreen-org:serviceId:dial[/serviceId] [controlURL]/smp_26_[/controlURL] [eventSubURL]/smp_27_[/eventSubURL] [SCPDURL]/smp_25_[/SCPDURL] [/service] [/serviceList] [/device][/root]

<!-- -->