Common Problems With SSL Revocation Checks
SSL certificates are, on the whole, amazing inventions that help to secure your site by encrypting communications between you and your users. They keep website visitors happy, they keep web browsers happy, and they earn your site SEO points with search engines. What’s not to love?
Unfortunately, that doesn’t mean having an SSL on your website is always sunshine and roses. Like all things technical, there is always the chance that something might go wrong. Today we’ll focus on some common issues with SSL revocation checks and what you can do to prevent them.
Before we get into what those problems are, let’s define SSL revocation and why someone might need it.
Why would I revoke my SSL?
SSL revocation is a process that invalidates your SSL certificate before its expiration date to distinguish it from valid SSLs. SSL revocation cancels the certificate, removes HTTPS from your site, and alerts Certificate Authorities (CAs) — the people in charge of issuing and managing SSLs — that your SSL certificate is no longer in use.
It might sound extreme, but there are multiple reasons why an SSL may need to be revoked:
- Your SSL certificate’s private key was lost or stolen
- You simply don’t want to use your SSL anymore
- You needed to get your SSL reissued, so you need to invalidate the old one
- A domain is suspected of malicious activities (like phishing or malware)
- Your SSL was wrongly issued
- You violated your SSL certificate terms of service
When an SSL certificate has been revoked, it’s essential to remove it from your site and replace it with a valid certificate as soon as possible. Websites with revoked SSL certificates won’t be secure and likely won’t work correctly. Nobody wants their users to be greeted with the dreaded “Site not secure” message.
How SSL revocation checks work
When an SSL has been revoked, the CA needs to inform browsers that the SSL is no longer valid. It does this by adding the SSL certificate’s identifier serial number to certificate revocation lists (CRLS) and online certificate status protocol (OCSP) servers.
Much like the name implies, a CRL is a list of invalid SSL certificates that browsers can check before loading a website. CRLs are usually updated by the CA every 24 hours and browsers also download the updated lists periodically.
OCSP is a protocol that browsers can use to check an SSL certificate’s status. Before loading a website, a browser will contact a server known as an OCSP responder to check the revocation status of that site’s SSL on the CA’s revocation server. The responder should reply with the SSL certificate’s revocation status and the CA’s private signing key.
A more speedy version of this process known as OCSP stapling is typically used these days. It unburdens the strain on web browsers and allows the website server to store a cached version of the SSL status and the CA’s private signing key for up to seven days. This way, the web browser doesn’t need to contact the OCSP server at all as everything is taken care of by the server.
When SSL revocation checks work properly, browsers will check CRLs or OCSP servers for a particular website’s SSL status. If an SSL has been revoked, it will alert website visitors to this fact with a warning message.
Unfortunately, sometimes these revocation checks don’t work, and browsers will display a website as being encrypted and secure when in actual fact, its SSL has been revoked.
Errors and vulnerabilities
Two of the biggest concerns with revocation checks are security and privacy. For browsers that use the traditional OCSP method, there is some potential for things to go wrong. If there’s an application issue or network lag during a check, a browser will perform OCSP in soft-fail mode.
Soft-fail mode is intended to prevent user disruption but can actually leave website users vulnerable. In soft-fail mode, the browser will automatically recognize an SSL to be valid and will indicate that there is a secure connection even when there isn’t. In terms of privacy, if an OCSP responder server is ever compromised, user data, such as their IP address and browser version, could be exposed.
Another issue when it comes to SSL revocation checks is speed. Because it involves downloading and cross-checking a vast list of revoked SSLs, the CRL method, in particular, can slow down page loading times and impact user experience. The OCSP is usually faster than the CRL method but is dependent on the speed of the CA’s revocation server.
How to avoid revocation check errors
To improve security and speed, website owners should implement OCSP stapling on their servers. Not only will this ensure revocation checks will work as they should, but it should also prevent any potential SSL errors. Check out this article for more information on how to do this.
Website users should check the kind of revocation checks their browser supports. OCSP stapling is ideal, but not all browsers do. Some browsers, such as Chrome, do not automatically check for revoked SSL certificates, so you will need to turn it on manually in the settings. Some browsers also maintain their own list of revoked SSL certificates to crosscheck instead of using CRLs or OCSP.
SSL revocation may not be a top concern for either website owners or visitors, but it should at least be on your radar. By taking just a few minutes to update your server or browser settings, you should be able to prevent errors and potentially speed up website loading times while maintaining secure web communications.