Let’s Encrypt is building an infrastructure to support browser-based certificate revocation re-enabling
CRLs are back, baby!
Certificate authority Let’s Encrypt has announced plans to establish a platform that will support the revocation of digital certificates via Certificate Revocation Lists (CRLs).
The CRL approach to disavowing compromised digital identities was established many years ago, but has been largely abandoned over the past decade or more in favor of Online Certificate Status Protocol (OCSP), due to its impact heavy on performance.
CRLs are complete lists of digital certificates that have been revoked by a certificate authority (CA) before their expiration date, while OSCP allows browsers to consult the CA’s OCSP service on the status of the certificate. a specific certificate.
Back to fashion
The CRL approach has recently come back into vogue – like listening to albums on vinyl – thanks to recent browser security updates.
“By collecting and summarizing CRLs for their users, browsers are making reliable certificate revocation a reality, improving both security and privacy on the web,” Let’s Encrypt explains in a blog post explaining how it implements put in place an infrastructure to better support CRLs. revocation of the digital certificate.
Keep up to date with the latest crypto-related news and analysis
Certificates put the “S” – security – in HTTPS. Unless a working certificate revocation system is in place, there is no remediation for a website owner in cases where an attacker steals their website’s digital certificate.
Without revocation, the compromised credential remains valid until it automatically expires at the end of its lease, usually years after the initial attack.
This undesirable situation is a direct result of the shortcomings in the revocation process that Let’s Encrypt seeks to address. Powered by browser software changes and Let’s Encrypt support, the rejuvenated CRL approach promises an effective mechanism to revoke web certificates once their rightful owners realize they’ve been leaked or stolen – a Unfortunately quite common problem.
Digital certificate revocation is therefore less about setting up a secure website in the first place and more about securing your website again after it has been hacked.
The daily sip asked Let’s Encrypt whether it seeks to encourage wider adoption of this approach by other CAs or through standards bodies, among other issues.
No word yet, but we’ll update this story as more information becomes available.
In a Twitter feedWeb security expert Scott Helme analyzed the merits and potential drawbacks of Let’s Encrypt’s decision, as well as the broader benefits and trade-offs inherent in the browser-based CRL approach.
YOU MIGHT ALSO LIKE LastPass reports security incident after attackers stole source code and technical information