| ▲ | redleader55 2 days ago |
| Checking for revocation doesn't scale and has serious privacy implications. There are two ways to do revocation: CRL and OCSP. CRL is a list that becomes huge over time - hosting it would require massive amounts of bandwidth and clients would need to download a lot of extra data. OSCP is more like a query API - did this cert expire? The problem is you need to make that query for each visit and you leak your IP address when you do that query. The hoster would need to provide capacity to run those queries and serve the result. For each visit you'd need to pay a few round-trips worth of delay before showing the content, sometimes while part of the content is downloaded: you download example.com, which has some CSS which is hosted at static.example.com, and the website redirects you to m.example.com which is the mobile version after running some JavaScript which detects the browser capabilities. |
|
| ▲ | zephyreon 2 days ago | parent | next [-] |
| So the answer then is just much shorter-lived certs? I could definitely still see the need for an immediate revocation to be recognized near-instantaneously. Or in practice is that ultimately not necessary? |
| |
| ▲ | xyzzy_plugh 2 days ago | parent [-] | | Yes, I think short-lived certs are ultimately where we're headed. We're starting to see adoption for O(days) now but I imagine that the lifetime will continue to decrease to some minimum O(hours) in the years to come. | | |
| ▲ | toast0 2 days ago | parent | next [-] | | I dread supporting O(hours). Clients often have wrong clocks. I've seen some client systems that enforced 'Not Before' and interpreted the datetime as local time and there were many users of that platform in the Americas; and my CA at the time insisted that Not Before was the time of issuance... lots of fun deciding how long to keep using a revoked certificate to balance the users with working revocation vs the users with broken Not Before checking. The client system I'm aware of is very dead, but maybe other systems managed similar. | |
| ▲ | zephyreon 2 days ago | parent | prev [-] | | Ironically this ends up putting a ton more load on the issuers, which some others have pointed out is why revocation doesn’t scale well (other than privacy concerns, which are valid). |
|
|
|
| ▲ | goalieca a day ago | parent | prev | next [-] |
| > CRL is a list that becomes huge over time IETF will be gradually reducing maximum length of public certs to 47 days. I expect this will help some of the issue since expired certs can be removed from the list. |
|
| ▲ | sugarpimpdorsey 2 days ago | parent | prev | next [-] |
| > CRL is a list that becomes huge over time - hosting it would require massive amounts of bandwidth and clients would need to download a lot of extra data. Compared to what? 12MB JavaScript bundles and autoplay videos? Do CDNs still exist? There's a finite number of CAs and browsers can be expected to perform caching. Delta CRLs also exist and the CAs can decline to include expired leaf certs. This sounds like a made up problem that was solved 25 years ago. |
| |
| ▲ | redleader55 2 days ago | parent [-] | | If you cache the revocation list, you lose all the benefits of instant revocation making the whole process pointless. | | |
| ▲ | sugarpimpdorsey 2 days ago | parent [-] | | OCSP is dead. We don't have that luxury anymore. By caching I meant for 12-24 hrs. | | |
| ▲ | redleader55 2 days ago | parent [-] | | Again, if you need to revoke a certificate, it means something terrible happened - someone compromised your server and your website has a good chance to be impersonated by 3rd parties. In all the other cases, you just let the old cert expire. You likely don't want people finding out about the revocation 12-24 hours later. | | |
|
|
|
|
| ▲ | tjoff 2 days ago | parent | prev [-] |
| You could of course cache the list, only download whatever was new from a specific date. Short-lived certs would vastly reduce the list as well. Not really sure how big of a problem a list could be? |
| |
| ▲ | pmontra 2 days ago | parent [-] | | Let's see. I can cache the information that example.com is valid up to May 31 2026, but then how do I know that it gets revoked on any day before that date? And if I cache the information that it is revoked, how do I know that it's allowed again? I could check, let's say one time per day even if I don't access that site. In any case I'm still leaking which domains I browse and I keep trusting cached certificates until the next check. On the other side, with short lived certificates I would be trusting a certificate for a longer time, until it expires. Downloading a list of all certificates and their status from every CAs is probably unfeasible. It seems that we can't escape a tradeoff between privacy and security. | | |
| ▲ | tjoff a day ago | parent [-] | | You cache the revocation list, no? If it is in the list it is revoked... How do you know it is allowed again? Because it responds with a new certificate, that isn't revoked... You are not leaking anything. You are just downloading a list of revoked domains. Regardless of whether you are visiting them or not. |
|
|
