Firefox 37 gets local revoked intermediary certificates blocklist
Mozilla announced a new feature coming to Firefox 37 that adds a list of revoked intermediary certificates to a local blocklist in order to speed up revocation checking and improve how revoked certificates are handled by the browser.
Revocation refers to the process of invalidating certificates before their expiration date (which can be years in the future).
So, in order for Firefox to determine whether a certificate is revoked or not, it either needs to have those information right away because they have been hard coded into the browser, or it needs to make a request to find out about it.
It turns out that these remote requests are not effective or helping as attackers can find a way around them.
This leaves hard coded revoked certificates right now which is not ideal either considering that Mozilla needs to create an update of the browser whenever it needs to update the revoked certificate list that is hard coded in the browser.
The creation of a new Firefox build binds resources and requires users of the browser to download and install the update as well.
The new system that Mozilla launches in Firefox 37 resolves those issues in Firefox. It uses the same system used by the browser's existing blocklist which lists plugins, extensions and drivers that are blocked by Mozilla for reasons such as causing stability issues or being insecure.
The effect is that Mozilla can update the list independent of the browser which ensures that updates reach user systems faster and with minimal effort.Mozilla calls this new feature OneCRL and it benefits Firefox users in another way.
Since blocked certificates are available locally, Firefox does not need to do live OSCP checks anymore which in turn means no additional latency and faster response times.Mozilla notes that only CA intermediate certificates are covered by the new feature currently.
OneCRL receives updates whenever a certificate authority in the root program notifies Mozilla about the revocation of an intermediate certificate.
For now, this means that the information are processed by Mozilla manually before they are added to the browser.
The organization has plans to improve the process further by automating it so that revoked certificate information are automatically added to the blocklist whenever a root certificate authority notifies Mozilla about revoked certificates.
Additional information about the implementation are available on Bugzilla.
This is exactly one feature that I am happy came from the Nightly version.
It seems like a no-brainer, utterly simple feature. Why only now?
It’s crap! It’s blocking perfectly valid self certificated sites, with no way (as far as I can see) of adding exceptions. Not everyone is prepared to pay the Mafia (Thawte et al) to have the privilege of a secure site. One could even argue, they’re less secure than a self certificated site, as the only person in the World that has the root key is the site owner.
Never take all the power from users – that’s a big mistake.
For anyone that want’s to overcome this problem, you can turn off OSCP in about:config – but be careful if you’re unsure of what you’re doing.