Internet security is a passion of mine. It’s why I get up in the morning (it’s also why I sometimes cry myself to sleep). For many netizensprotection is summarized by a green lock icon in the addressbar:
That lock tells us that a Certificate Authority (CA) has verified the website is who they say they are. The secure websites you visit provide your browser with a certificate that has been countersigned by the CA, which is only valid for a limited time (a couple years).
When good certs go bad...
So what happens when a signed certificate that has not yet expired gets compromised?
Online Certificate Status Protocol (OSCP) allows certificates to be revoked regardless of the expiry date. OSCP adds an additional check to the certificate exchange process which makes the process take a little longer.
If you want to go fast...
But we don’t like it when things take a little longer on the Internet. So we invented OSCP stapling. OSCP stapling allows the website you are exchanging certificates with to pre-fetch the OSCP check for you, which like the certificate itself is signed by the OSCP Responder. Unlike the CA signature though, these signatures expire much faster (depends on the Responder, default is 24 hours).
What could go wrong...
It depends on what side of the browser you are on. If you are the visitor to the website then this solution works perfectly for you, you can relax, stop reading and (hopefully) have a renewed faith that you can trust the green lock that keeps you protected.
However, if you are responsible for making the lock green OSCP recently got a little more dangerous. OSCP allows the OSCP Status Request to send multiple certificate requests at once.OpenSSL recently disclosed a vulnerability where a malicious visitor can use this capability to maliciously send a multiple number of certificates in a request (up to 64kB). If the malicious user also continuously requests SSL renegotiation it quickly compounds the memory utilization on the server to the point of exhaustion creating a Denial of Service (DoS) attack.
You can avoid the OSCP DoS by doing the following:
- Upgrading OpenSSL to the latest version
- Using the no-oscpbuild option
If you happen to already be a DOSarrest customer, don’t worry, you’re already covered and you won’t have to rebuild a thing on your webserver.
Security Solutions Architect
DOSarrest Internet Security