Firefox 37 gets local revoked intermediary certificates blocklist - gHacks Tech News

Firefox 37 gets local revoked intermediary certificates blocklist

Mozilla announced a new feature coming to Firefox 37 that adds a list of revoked intermediary certificates to a local blocklist in order to speed up revocation checking and improve how revoked certificates are handled by the browser.

Revocation refers to the process of invalidating certificates before their expiration date (which can be years in the future).

So, in order for Firefox to determine whether a certificate is revoked or not, it either needs to have those information right away because they have been hard coded into the browser, or it needs to make a request to find out about it.

It turns out that these remote requests are not effective or helping as attackers can find a way around them.

This leaves hard coded revoked certificates right now which is not ideal either considering that Mozilla needs to create an update of the browser whenever it needs to update the revoked certificate list that is hard coded in the browser.

The creation of a new Firefox build binds resources and requires users of the browser to download and install the update as well.

valid certificate

The new system that Mozilla launches in Firefox 37 resolves those issues in Firefox. It uses the same system used by the browser's existing blocklist which lists plugins, extensions and drivers that are blocked by Mozilla for reasons such as causing stability issues or being insecure.

The effect is that Mozilla can update the list independent of the browser which ensures that updates reach user systems faster and with minimal effort.Mozilla calls this new feature OneCRL and it benefits Firefox users in another way.

Since blocked certificates are available locally, Firefox does not need to do live OSCP checks anymore which in turn means no additional latency and faster response times.Mozilla notes that only CA intermediate certificates are covered by the new feature currently.

OneCRL receives updates whenever a certificate authority in the root program notifies Mozilla about the revocation of an intermediate certificate.

For now, this means that the information are processed by Mozilla manually before they are added to the browser.

The organization has plans to improve the process further by automating it so that revoked certificate information are automatically added to the blocklist whenever a root certificate authority notifies Mozilla about revoked certificates.

Additional information about the implementation are available on Bugzilla.

Summary
Firefox 37 gets local revoked intermediary certificates blocklist
Article Name
Firefox 37 gets local revoked intermediary certificates blocklist
Description
Firefox 37 includes a local certificate revocation blocklist to improve the way revoked certificates are handled in the browser and to speed up browsing.
Author

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. YB said on March 5, 2015 at 4:04 pm
    Reply

    This is exactly one feature that I am happy came from the Nightly version.

  2. Ronald said on March 5, 2015 at 5:18 pm
    Reply

    It seems like a no-brainer, utterly simple feature. Why only now?

  3. pd said on April 5, 2015 at 1:56 pm
    Reply

    It’s crap! It’s blocking perfectly valid self certificated sites, with no way (as far as I can see) of adding exceptions. Not everyone is prepared to pay the Mafia (Thawte et al) to have the privilege of a secure site. One could even argue, they’re less secure than a self certificated site, as the only person in the World that has the root key is the site owner.

    Never take all the power from users – that’s a big mistake.

    For anyone that want’s to overcome this problem, you can turn off OSCP in about:config – but be careful if you’re unsure of what you’re doing.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.