Jump to content

Browser CRL's (Certificate Revocation Lists)

Lost In Cyberia

Recommended Posts

Hey everyone. So when checking certificates, a browser will usually check to see if OCSP is enabled, if not, it falls back on using the CRL method. It checks to see if the CA has issued an updated CRL (Certificate Revocation List) more recent than the one in it's cache. If so it downloads it, and checks if the certificate it was just issued, is on the list...

Most CA's update these CRL's about once a week or so. My questions are:

Does anyone know the path/location to the CRL? (in linux specifically)

Can you edit these CRL's? It seems to me, editing someone's CRL could provide a easy way to get your certificate accepted if you have access to their machine

Link to comment
Share on other sites

Given the fact that the name specifies its function, I think you can only use it to re-issue a revoked cert. So I guess the interesting bit would be which heartbled keys have been uncovered and from that point on the fun can really start.

If I'm properly reading the firefox sources the CRL is only read into memory and not cached as a file. The only thing they retain is the reference to where the CRL for a CA is, which is an attribute stored somewhere in your certdb.

Link to comment
Share on other sites

Hmm that would make sense. Anyone else concur? I'm inclined to believe it sense in my firefox directory I don't see anything in regards to a CRL set

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...