A Certificate Revocation List (CRL) is a list of digital certificates that a Certificate Authority (CA) has revoked before they expire. Think of it as a blacklist of certificates that are no longer trustworthy. Web browsers and other endpoints use CRLs to check if a website’s certificate is valid. If a certificate appears on a CRL, it means the site’s identity is questionable, which raises red flags about protecting user data.
When a CA issues a digital certificate, it signs it to prove authenticity. They do the same with the CRL to ensure it hasn’t been tampered with.
Now, what is a digital certificate? It’s a crucial part of securing online communications, often utilizing protocols like TLS/SSL. This certificate, signed by a CA, confirms the owner’s identity. When you connect to a website over TLS, your browser checks the certificate for any issues, including whether it’s on a CRL.
Here’s how the CRL check works:
1. If a revoked certificate is in use, the browser alerts the user when they try to access the webpage.
2. The user sends their digital certificate through an access point.
3. The access point forwards it to an authentication server.
4. The server checks if the certificate is still valid.
5. If it is, the server looks up the user in its database.
6. Next, it checks the CRL to see if the certificate has been revoked by looking at the serial number.
7. If the serial number isn’t in the CRL, access is granted.
CRLs are important because they inform users that a site’s certificate isn’t trustworthy, helping prevent access to potentially fraudulent websites and defending against man-in-the-middle attacks. Without a CRL, users might visit risky sites, exposing themselves to malware and other threats.
CRLs are part of a broader system known as Public Key Infrastructure (PKI), which uses public key encryption and digital certificates to secure information exchanges online. Without CRLs, PKI wouldn’t effectively function, allowing phishing and fraud to take hold.
A CRL includes details like the revoked certificate’s serial number, revocation date, and possibly a reason for the revocation. The National Institute of Standards and Technology defines a CRL as a list of certificates that have been revoked before their expiration, distinguishing them from expired certificates.
Certificates may get revoked for several reasons, such as issuing errors, a compromised key, or a change in ownership. Each reason has a corresponding revocation code.
However, maintaining CRLs can be challenging. They may not always reflect real-time data, which could lead to users accepting revoked certificates and facing security risks. Browsers cache CRLs to minimize download overhead, which can mean delays in updates. If a CRL fails to load, operations requiring its validation could be disrupted, potentially leading to Denial-of-Service attacks.
Different browsers also handle CRLs in varied ways, which can complicate checks and might expose users to vulnerabilities. For instance, some browsers may not process certain formats of CRLs, leading to connections without warnings.
CRLs shouldn’t be confused with Certificate Transparency Logs (CT logs). While both concern digital certificates, CT logs merely track issued certificates for a domain, while CRLs specifically list revoked ones.
The Certificate Authority Security Council promotes the Online Certificate Status Protocol (OCSP) as a modern alternative to CRLs. OCSP allows browsers to request revocation status from a CA in real time, making the process faster and more efficient. Instead of constantly checking a CRL, the browser can get a direct response of “good,” “revoked,” or “unknown” for a specific certificate.
OCSP stapling enhances this by allowing websites to attach OCSP responses when serving their certificates to the browser, ensuring quicker access to revocation status while maintaining user privacy. While OCSP has its advantages, it also has drawbacks, such as vulnerability to replay attacks and less detail compared to CRLs.
Ensuring the authenticity of online communications remains vital for businesses, and understanding digital certificates and their revocation processes is key.