Lost In Cyberia Posted May 19, 2014 Share Posted May 19, 2014 Hey everyone. So when checking certificates, a browser will usually check to see if OCSP is enabled, if not, it falls back on using the CRL method. It checks to see if the CA has issued an updated CRL (Certificate Revocation List) more recent than the one in it's cache. If so it downloads it, and checks if the certificate it was just issued, is on the list... Most CA's update these CRL's about once a week or so. My questions are: Does anyone know the path/location to the CRL? (in linux specifically) Can you edit these CRL's? It seems to me, editing someone's CRL could provide a easy way to get your certificate accepted if you have access to their machine Quote Link to comment Share on other sites More sharing options...
cooper Posted May 19, 2014 Share Posted May 19, 2014 Given the fact that the name specifies its function, I think you can only use it to re-issue a revoked cert. So I guess the interesting bit would be which heartbled keys have been uncovered and from that point on the fun can really start. If I'm properly reading the firefox sources the CRL is only read into memory and not cached as a file. The only thing they retain is the reference to where the CRL for a CA is, which is an attribute stored somewhere in your certdb. Quote Link to comment Share on other sites More sharing options...
Lost In Cyberia Posted May 20, 2014 Author Share Posted May 20, 2014 Hmm that would make sense. Anyone else concur? I'm inclined to believe it sense in my firefox directory I don't see anything in regards to a CRL set Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.