{"id":7788,"date":"2021-10-11T17:11:04","date_gmt":"2021-10-11T15:11:04","guid":{"rendered":"https:\/\/tekmart.co.za\/t-blog\/?p=7788"},"modified":"2021-10-11T17:12:08","modified_gmt":"2021-10-11T15:12:08","slug":"what-is-a-certificate-revocation-list-crl-what-they-are-their-importance-and-why-they-can-get-revoked","status":"publish","type":"post","link":"https:\/\/tekmart.co.za\/t-blog\/what-is-a-certificate-revocation-list-crl-what-they-are-their-importance-and-why-they-can-get-revoked\/","title":{"rendered":"What is a certificate revocation list (CRL);-what they are, their importance, and why they can get revoked."},"content":{"rendered":"Reading Time-approximately:<\/span> 4<\/span> minutes<\/span><\/span>\n

A certificate revocation list (CRL) is a list of\u00a0digital certificates\u00a0that have been revoked by the issuing certificate authority (CA) before their actual or assigned expiration date.<\/strong><\/h2>\n\n\n\n

By Rahul Awati<\/a> and Michael Cobb<\/a><\/p>\n\n\n\n

This is a type of blocklist that includes certificates that should no longer be trusted and is used by various endpoints, including\u00a0web browsers, to verify if a certificate is valid and\u00a0trustworthy.<\/p>\n\n\n\n

The CRL file is signed by the CA to prevent tampering.<\/p>\n\n\n\n

What is a digital certificate?<\/strong><\/h3>\n\n\n\n

Digital certificates are used in the\u00a0encryption\u00a0process to secure communications and create trust in\u00a0online transactions\u00a0— most often, by using the Transport Layer Security\/Secure Sockets Layer (TLS\/SSL) protocol. The certificate, which is signed by the issuing CA, also provides proof of the certificate owner’s identity.<\/p>\n\n\n\n

When a web browser connects to a site using TLS, its digital certificate is checked for anomalies or problems. Part of this process involves checking that the certificate is not listed in a CRL.<\/p><\/blockquote>\n\n\n\n

These checks are crucial for certificate-based transactions because they allow a user to verify the identity of the site owner and discover if the digital certificate is trustworthy.<\/p>\n\n\n\n

\"A
A browser should show a message when a Web page uses a revoked certificate.<\/strong><\/figcaption><\/figure>\n\n\n\n

What defines a certificate revocation list?<\/strong><\/h3>\n\n\n\n

According to the\u00a0National Institute of Standards and Technology, a CRL is a list maintained by a certification authority of the certificates it has issued and revoked prior to their stated expiration date. CRLs contain certificates that have either been irreversibly revoked (revoked) or have been marked as temporarily invalid (hold).<\/p>\n\n\n\n

The CRL does not include expired certificates. Also, the CRL issuer (third party) may not be the same entity as the CA that issued the revoked certificate.<\/p>\n\n\n\n

The\u00a0X.509\u00a0standard defines the format and semantics of a CRL for a public key infrastructure (PKI). Each entry includes the revoked certificate’s serial number and revocation date. It may also include a time limit, whether the revocation applies for a limited or specific time period, and a reason for the revocation.<\/p>\n\n\n\n

Why does a digital certificate get revoked?<\/strong><\/h3>\n\n\n\n

X.509 digital certificates play a vital role in PKI and\u00a0web security. Every TLS\/SSL certificate has a finite validity period. However, it could be revoked before its validity period ends for many reasons.<\/p>\n\n\n\n

This process is sometimes known as PKI certificate revocation.<\/p>\n\n\n\n

For example, a CA may discover that it improperly issued a certificate, revoke the original certificate and reissue a new one. Or it may discover that a certificate is\u00a0counterfeit, in which case it will be revoked and added to the CRL. The most common reason for revocation is when a certificate’s\u00a0private key\u00a0has been\u00a0compromised.<\/p><\/blockquote>\n\n\n\n

Other reasons for revoking a certificate include:<\/p>\n\n\n\n

  • The issuing CA has been compromised<\/li>
  • The certificate owner no longer owns the\u00a0domain\u00a0for which it was issued<\/li>
  • The certificate owner has ceased operations entirely<\/li>
  • The original certificate has been replaced with a new certificate from another issuer<\/li><\/ul>\n\n\n\n

    Certificate revocations are not uncommon. In 2019, several CAs, including\u00a0Apple\u00a0and\u00a0Google, revoked millions of certificates because the certificates were mistakenly issued with noncompliant 63-bit\u00a0serial numbers, instead of 64-bit serial numbers containing unique, positive integers with 64 bits of entropy.<\/p>\n\n\n\n

    Why is a CRL important?<\/strong><\/h3>\n\n\n\n

    The main purpose of a CRL is for CAs to make it known that a site’s digital certificate is not trustworthy. It warns a site’s visitors not to access the site, which may be fraudulently impersonating a legitimate site.<\/p>\n\n\n\n

    A CRL also protects visitors from\u00a0man-in-the-middle\u00a0attacks. In the absence of a CRL, a visitor may access a potentially risky site, leaving them vulnerable to:<\/p>\n\n\n\n

    • data breaches<\/li>
    • malware<\/li>
    • identity fraud or theft<\/li>
    • financial loss<\/li>
    • account\u00a0hijacks\/takeovers<\/li><\/ul>\n\n\n\n
      \"types<\/figure>\n\n\n\n

      What are the drawbacks of certificate revocation lists?<\/strong><\/h3>\n\n\n\n

      One of the problems with CRLs is they’re difficult to maintain. CRLs are also an inefficient method of distributing critical information in\u00a0real time.<\/p>\n\n\n\n

      When a CA receives a CRL request from a browser, it returns a complete list of all the revoked certificates that the CA manages. The browser must then parse the list to determine if the certificate of the requested site has been revoked.<\/p>\n\n\n\n

      CRLs are often updated weekly or daily and, in some cases, hourly. However, any time gap could allow a revoked certificate to be accepted, particularly because CRLs are\u00a0cached\u00a0to avoid incurring\u00a0overhead\u00a0due to repeated\u00a0downloads. Also, if the CRL is unavailable, then any operations that depend on certificate acceptance will be prevented, and that may lead to a denial-of-service (DoS) attack.<\/p><\/blockquote>\n\n\n\n

      Another issue is the risk of other security vulnerabilities because different browsers handle CRLs differently. Determining the method used to check certificate revocation status can vary by browser and, in some instances, depends on which\u00a0operating system\u00a0the browser is running. Unless it is an\u00a0Extended Validation Certificate, some browsers only check the validity of the\u00a0server’s\u00a0certificate, not the entire chain of certificates required for validation.<\/p>\n\n\n\n

      For example,\u00a0Mozilla Firefox\u00a0and\u00a0Google Chrome\u00a0on\u00a0Linux\u00a0support CRLs delivered in the standard\u00a0binary\u00a0format, but they cannot process\u00a0RSA Security’s\u00a0CRLs because they’re in a text-based format. Nonetheless, they will still allow the connection to go ahead without a warning.<\/p>\n\n\n\n

      \"Security
      An unavailable certificate revocation list could lead to a DoS attack when operations that depend on one are prevented<\/strong><\/figcaption><\/figure>\n\n\n\n

      Certificate revocation lists vs. certificate transparency logs<\/strong><\/h3>\n\n\n\n

      Although CRL and certificate transparency logs (CT logs) both deal with X.509 digital certificates, and are often mistaken for each other, they’re actually two separate processes and serve two different functions.<\/p>\n\n\n\n

      A CT\u00a0log\u00a0is like a certificate inventory for a particular domain. It only records the certificates issued for that domain and doesn’t provide information about whether a certificate is revoked.<\/p>\n\n\n\n

      This is exactly the purpose of the CRL. Moreover, the CRL only lists the revoked certificates. It does not list all the certificates issued for that domain.<\/p>\n\n\n\n

      Certificate revocation lists vs. Online Certificate Status Protocol<\/strong><\/h3>\n\n\n\n

      The\u00a0Certificate Authority Security Council\u00a0— whose members include leading CAs — wants to promote the importance of certificate-revocation checking, and the adoption and deployment of Online Certificate Status Protocol (OCSP) stapling as an alternative to the use of CRLs.<\/p>\n\n\n\n

      OCSP is an alternative to using CRLs. Instead of having to download the latest CRL and check whether a requested Uniform Resource Locator, or\u00a0URL, is on the list, the browser sends the certificate for the site in question to the CA who returns a value of “good,” “revoked” or “unknown” for that certificate.<\/p><\/blockquote>\n\n\n\n

      OCSP stapling eliminates the need for a browser to request the OCSP response directly from the CA. Instead, when the website sends its certificate to the browser, it attaches (staples) its OCSP response.<\/p>\n\n\n\n

      This approach transfers far less data, which doesn’t need to be parsed before it can be used. It also protects the end user’s\u00a0privacy\u00a0because the CA only sees requests from websites, not the website’s end users. Most major web servers and browsers all support OCSP stapling, and support for its use is growing.<\/p>\n\n\n\n

      \n