Let us talk about OCSP. If you do a little background reading, you’ll discover that almost all implementations do a soft-fail by default, and soft-fail is worse than not having OCSP at all, since it gives a sense of false security. Adam Langley from google discusses the absurdity of soft-fail in this blog post nicely. However, I refuse to accept his claim that CRLset is a good idea and that chrome does it better. Firefox allows me to enable OCSP hard-fail, something that I can not do in Chrome, and hence I abandoned chrome.
What if the browser enabled OCSP by default, and in case of a failure, prompts the user with a warning that says something like “I am not absolutely sure that the connection can be trusted.”, provides a link “More Details” that shows the technical details, and allows the user to choose if he/she wants to proceed. Or highlight the address bar in yellow or something for failed OCSP. Or show a unobtrusive notification .
OCSP is not the magic bullet, agreed. It is a convoluted solution to the revocation problem that demands compromise in one way or other. But if browsers had adopted it in better ways instead of defaulting to soft-fail, the web would have been a much secure place. And I believe compromising a lot of security for little convenience is a bad gamble.
People talk of single point of failure if OCSP hard-fail is enabled, that OCSP servers would be overloaded, and stuff. A compromise between soft-fail and hard-fail as default should work, and I’m sure we can come up with solutions to mitigate the SPOF if enough thought is given to it.
On a related note, I hope OCSP stapling gets more widely adopted. It solves many issues with current implementations, avoids the absurdities of soft-fail and SPOF concerns of hard-fail. Coupling it with a warning notification of the sort discussed above in major browsers will increase its adoption rates.
This post was triggered by a OCSP hard-fail notification for bugs.launchpad.net few minutes ago. I get a OCSP failure very very rarely. I suggest you switch to firefox and enable it for better security. To enable OCSP hard-fail on Firefox, go to Preferences > Advanced > Certificates > Validation and tick both the options.
- No, don’t enable revocation checking ( Adam Langley, 19 Apr 2014)
- Revocation still doesn’t work (Adam Langley, 29 Apr 2014)
- Security Certificate Revocation Awareness Test (GRC)
- Security Certificate Revocation – Specific Implementations (GRC)
- An Evaluation of the Effectiveness of Chrome’s CRLSets ( GRC)
- The case for “OCSP Must-Staple” (GRC)