Sites serving revoked TLS certificates
Categories
(Web Compatibility :: Knowledge Base, defect)
Tracking
(Not tracked)
People
(Reporter: denschub, Unassigned)
References
Details
User Story
url:account.netzero.net/* url:www.bescom.co.in/*
Some sites do serve TLS certificates that have been revoked, but they still work in Chrome. The difference between browsers here will probably go away after bug 1429800, but for now, let's track those cases.
|
Reporter | |
Updated•1 year ago
|
|
|
Reporter | |
Updated•1 year ago
|
|
||
Comment 1•1 year ago
|
||
For what it's worth, CRLite will probably increase the differences between browsers. CRLite is a more effective revocation checking tool than OCSP (about 10% of OCSP checks fail due to network errors), and we're the only browser that has a CRLite implementation.
|
|
Reporter | |
Comment 2•1 year ago
|
||
Oh, then I missed something - I thought it would bring us closer to what Chrome does. Oh well. Then it's even better to keep track of those things. Thanks for the clarification! :)
|
||
Comment 3•7 months ago
|
||
FYI, the reverse scenario: CRLite allows a revoked cert whilst OCSP doesn't:
- link (misleading title): https://old.reddit.com/r/firefox/comments/1ayqhvc/crlite_not_recognizing_revoked_certificate/
- I can replicate OCSP-off and CRLite-on - https://digicert-tls-ecc-p384-root-g5-revoked.chain-demos.digicert.com
|
||
Comment 4•7 months ago
|
||
I can confirm what Simon describes.
I'm not warned when clicking on the 2nd link with CRLite enabled and OCSP disabled (Followed steps mentioned via 1st link).
With OCSP enabled I'm warned by the 2nd link, I would expect that CRLite alone would also recognize revoked certificates.
|
|
||
Comment 5•6 months ago
|
||
Just recognized CRLite was updated and the issue mentioned my Simon is fixed.
Firefox now recognized the DigiCert site to be as revoked, based on CRLite.
Thanks so much Mozilla!
|
|
||
Comment 6•18 days ago
|
||
CRLite seems broken again at the moment.
Following websites are opened and no warning is shown with CRLite enabled:
https://digicert-tls-ecc-p384-root-g5-revoked.chain-demos.digicert.com/
http://revoked.grc.com/
|
|
||
Comment 7•18 days ago
|
||
I receive a warning on https://revoked.grc.com/ but not on https://digicert-tls-ecc-p384-root-g5-revoked.chain-demos.digicert.com/.
Neither certificate appears to be covered by the current CRLite filter, but Firefox should fall back to OCSP when that happens.
https://crt.sh/?id=14138518440&opt=ocsp shows that the digicert-tls-ecc-p384-root-g5-revoked certificate was revoked very recently, and OCSP servers are allowed to cache results for several days. So I suspect this will resolve itself shortly.
|
|
||
Comment 8•17 days ago
|
||
I receive no warning for both sites, with all my CRLite files were updated today.
A few months ago when I tested both sites were successfully shown as revoked via CRLite.
OCSP is disabled on my Firefox config and CRLite is enforced via about:config on my client:
security.pki.crlite_mode = 2
security.remote_settings.crlite_filters.enabled = true
|
|
||
Comment 9•8 days ago
|
||
Firefox is now correctly notifying, that the cert for both sites is revoked via CRLite only.
Seems CRLite is working again, thanks a lot!
Description
•