Sectigo (formerly Comodo CA) has removed CRL distribution points on newly issued Domain Validated (DV) SSL/TLS certificates.
I speculate that Organization Validated (OV) and Extended Validation (EV) SSL/TLS certificates will soon no longer contain CRL distribution points either.
What is CRL?
A Certificate Revocation List (CRL) is a list of SSL/TLS certificate serial numbers which have been revoked before expiry and should not be trusted by browsers.
An SSL/TLS certificate can be revoked for many reasons, such as a compromized private key, Certificate Authority (CA) distrust, or due to being wrongly issued.
Revocation does not mean the SSL/TLS certificate in question is removed from its respective domain, as this is done server-side, so CRLs ensure a still-active revoked certificate does not show as trusted by browsers.
CRLs are signed and issued by CAs, which generate the lists periodically; in Sectigo’s case, every 24 hours.
How does a CRL work?
When a browser makes a request to a secure site, the relevant CA receives the request and replies with a list of all its revoked certificates.
The browser then checks this list to ensure that the SSL/TLS certificate securing the site isn’t listed.
Unfortunately, CRLs are rather prone to error.
As previously mentioned, CRLs require regular updating, making them high maintenance for CAs; and leave a window for a revoked SSL/TLS certificate to still show as trusted.
CRLs are also inefficient as, depending on the length of the list, they can be very slow to check.
What is OCSP?
Online Certificate Status Protocol (OCSP) is a protocol used to check an SSL/TLS certificate’s status to ensure that it is trustworthy.
As such, though different in functionality, it serves the same purpose as CRLs.
While the original OCSP had significant problems, OCSP stapling, a superior approach to the original OCSP, is what is utilized by CAs and browsers to check SSL/TLS certificates.
How does OCSP stapling work?
CAs have a dedicated server, called an OCSP responder, which listens for OCSP requests.
“Instead of making a request to the CA’s server for each certificate verification request, OCSP stapling allows the web server to query the OCSP responder directly at regular intervals and cache the response.” KeyCDN says.
“When a user attempts to visit the site, the digitally time-stamped response is then “stapled” with the TLS/SSL handshake via the Certificate Status Request extension response.
“Based on the OCSP response, the browser either displays the web page or shows an error message that the certificate is invalid.”
Why the change?
The biggest benefit of using OCSP stapling over CRL is that it allows real-time status checking and is far speedier.
It also keeps users’ browsing information secure, as the need to connect to a CA’s actual server is not required, meaning the CA will not know the website you are visiting.
To the CA’s benefit, they are no longer flooded with OCSP requests, since the server caches the response.
OCSP stapling is supported by all major browsers and CAs, and with Sectigo’s recent removal of CRL distribution points from their DV SSL/TLS certificates, it is possible that this marks the beginning of widespread removal of support for outdated CRLs.
This is a welcomed move by Sectigo, as it incentivizes individuals to upgrade and enable OCSP stapling on their servers, securing a safer Web for everyone.
Mitchell has a Bachelor of Arts with Majors in Journalism and Foreign Relations; and a Diploma of Digital Design.