Worth Reading: Certificate Request? Ask Later!

Moxie Marlinspike has taken a closer look at the Online Certificate Status Protocol (OCSP) that is the primary revocation mechanism for SSL certificates. OCSP is used when a browser wants to query whether a certificate has been revoked. Marlinspike discovered that the included status messages sent in response to this query are not digitally signed. So while it is not possible to simply fake the answer to the query, if a certificate is still valid a man-in-the-middle could modify the status. If the value of OCSPResponseStatus is set to 3, the requesting browser will interpret that as "Try again Later" and will accept the certificate temporarily.

• Defeating OCSP With The Character '3', paper by Moxie Marlinspike

See also:

• Forged PayPal certificate fools IE, Chrome and Safari

(djwm)