In association with heise online

06 October 2009, 17:41

Worth Reading: Certificate Request? Ask Later!

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Moxie Marlinspike has taken a closer look at the Online Certificate Status Protocol (OCSP) that is the primary revocation mechanism for SSL certificates. OCSP is used when a browser wants to query whether a certificate has been revoked. Marlinspike discovered that the included status messages sent in response to this query are not digitally signed. So while it is not possible to simply fake the answer to the query, if a certificate is still valid a man-in-the-middle could modify the status. If the value of OCSPResponseStatus is set to 3, the requesting browser will interpret that as "Try again Later" and will accept the certificate temporarily.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit