[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange
- From: "Larry Seltzer" <larry@xxxxxxxxxxxxxxxx>
- Date: Mon, 26 May 2008 09:15:22 -0400
>>> No, CRLs don't work. Firefox for example does not check for CRLs
>>> (default setting), making certificate revocation senseless. I
assume,
>>> other Browsers don't check CRLs either. And what about the german
> That is indeed a problem. AFAIK IE 7 on Vista now does some CRL
checking
> by default, but I haven't tried it yet.
I did some research on this recently, and the story for browser support
is actually much more complicated. In addition to CRLs there is a
protocol called OCSP for checking the status of a specific certificate
by serial number.
* Internet Explorer 6 and Internet Explorer 7 on Windows XP
support CRL checking but default to not using it.
* Firefox 1 and 2 support both OCSP and CRL, but default to
using CRL.
* Internet Explorer 7 on Vista and Firefox 3 support both OCSP
and CRL and default to using OCSP. Opera 8.5 and later supports only
OCSP and uses it by default.
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/