Wednesday, September 16, 2015

Disable certificate revocation checking for Internet Explorer, FireFox, and Java



Java

Open Java Control Panel
Advanced tab

Perform signed code certificate revocation checks on
Do not check (not recommended)

Perform TLS certificate revocation checks on
Do not check (not recommended)

Advanced Security Settings
Enable blacklist revocation check is unchecked




Firefox

Type about:config in the address bar and dismiss the prompt

Type ocsp in the search bar


Set security.OCSP.enabled to 0

Set security.ssl.enab.e_ocsp_stapling to false

Set services.sync.prefs.sync.security.OCSP.enabled to false

Set services.sync.prefs.sync.security.OCSP.require to false





Internet Explorer

Tools > Options
Advanced tab
Security category

Check for publisher’s certificate revocation
Uncheck





What does this change do?

Certificates are issued to validate the identity of a provider or a user

Certificates are issued by a certificate authority

Certificate authorities are verified using a root certificate, stored in the Certified Root Certification Authorities certificate container and an intermediate certificate, stored in the Intermediate Certification Authorities container.

Once issued, a certification authority may revoke any certificate, for a variety of reasons. Some examples:
·         A zero day exploit against a compromised certificate or weak certificate encryption
·         A zero day exploit against functionality that could exploit a weak certificate
·         A service or certification authority that is being retired (Example: Retirement of SHA1 and 2048 byte length certification authorities)
·         Removal of user access (Example: SmartCards)

When accessing a service secured by a certificate, the certificate and the certificate issuer must both be verified. A thorough security check would verify the certificates exist and determine if the certificates have been revoked.

Checking for certificate revocation is slightly more time consuming than a basic certificate validity check. Some applications may check for revocation, but if revocation sources are not available, will continue assuming certificates are not revoked. For example, IE version 8 will continue to a web site if a certificate revocation source was not found (unenforced revocation checking), while Microsoft’s IPSEC implementation will fail a connection if the certificate revocation source is unavailable (enforced revocation checking).

Every certificate that is issued contains information about where to check for revocation, Certificate revocation information is stored as a property of the certificate

What is the impact of this change?

This disables certificate revocation checking for web pages visited in FireFox and Internet Explorer. It also disables certificate revocation checking for Java applications signed with a certificate. This could potentially expose you if an exploit was trying to impersonate a web site using a certificate that has not reached its expiration date, but that has been revoked on the public internet.