Earlier this week, Mozilla announced the introduction of a new feature in Firefox 37 that will help protect users by revoking intermediate certificates.
The new mechanism would come as a significant improvement from OCSP (online certificate status protocol), which the browser currently uses to check the status of a certificate.
“For online revocation checks, either you have a system that fails open or you accept the performance penalty of checks that are more strict (as is the case for EV certificates),” explained Mozilla security engineer Mark Goodwin.
“OCSP stapling can remove the need for live revocation checks, but currently, only around 9% of TLS connections use it.”
With OneCRL, the revocation checking process would be much faster, as the feature would maintain a centralized lists of revoked certificates that would be pushed out to browsers.
“Currently, if a serious incident occurs that requires certificates to be revoked, we release an update to Firefox to address the problem,” said Goodwin.
This process is not only slow but also costly, Goodwin added, as users are then required to install the update and restart the application.
Although Firefox’s blocklisting mechanism already performs periodic scans for harmful plugins, add-ons or third-party software, OneCRL extends this capability to include certificates that should be revoked, without users having to update or refresh their browsers.
Goodwin notes that as of now, OneCRL only covers CA intermediate certificates for the purpose of limiting the size of the blocklist.
“The initial version of OneCRL that we have today is an important step,” said Goodwin.
“It will speed up revocation checking, especially for sites that use EV certificates. But we’re not done yet. We’re working on scaling up OneCRL so that its benefits apply more broadly, and on automating the collection of revocation information so that it gets to browsers more quickly.”
Following Lenovo’s recent Superfish debacle and other issues around trusting certificates, security experts note this will be a convenient feature to integrate into the browser.
“Instead of forcing users to update their entire browser, the ability to dynamically update trusted certificates helps remediate this challenge and ensure untrusted certificates are flagged in near real-time,” said Westin.
Firefox 37 is set to release March 31, 2015.