7

As I was about to make payment for my flight ticket, I noticed something strange with the British Airways website's SSL cert. My browser (Google Chrome) was unable to check whether the certificate has been revoked or not! Here's the exact message:

enter image description here

The message from Google Chrome says:

The identity of this website has been verified by GlobalSign Extended Validation CA - SHA256 - G2 but does not have public audit records.

Unable to check whether the certificate has been revoked.

I checked certification information and it looks like there's no other problem with the certificate itself. Things that I would like to know:

  • Is it safe to continue with process knowing the fact that your browser is unable to check cert revocation?

  • How exactly can you confirm if a particular cert has been revoked or not?

D.W.
  • 98,860
  • 33
  • 271
  • 588
Rahil Arora
  • 4,307
  • 2
  • 23
  • 41

2 Answers2

13

Revocation is the only method by which a certificate authority may propagate the information that a private key has been compromised. It is, in fact, a damage containment system: in the unfortunate event of a private key being stolen, the revocation system will make sure that nobody trusts the corresponding certificate more than one week or so after the theft is noticed and reported. If a client does not check revocation status, or bypasses it (as you are proposing to do), then this "one week" delay is extended to the expiration date of the certificate, which can be years away.

By definition, not checking revocation (or ignoring a failure to check revocation) weakens the system, so it cannot be said that it is "safe". But maybe it is not utterly risky. In practice, risks of connecting to a fake Web site are low, because stolen credit card numbers are not worth a lot, and running a fake Web site that successfully emulates a real airline reservation system is a lot of work; hackers who could steal the private key would probably not do that. But that's your decision to take, not mine.

If your browser could not ascertain the revocation status, then chances are that you cannot do it yourself either. However, it may be interesting to know what exactly has happened. Normally, each certificate in the chain contains a URL to the location of the relevant CRL (in a CRL Distribution Points extension). Maybe some of these Web sites are currently unreachable; maybe the CRL they host are out of date, thus revealing a technical glitch on the CA side.

(From my machine, right now, the British Airways certificate looks fine, including revocation status, so chances are that the glitch was temporary.)

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
1

It is not uncommon for revocation checking to fail due to the CA revocation service not being available - or it being late in publishing a CRL. So you are probably okay.

A revocation check can be either to to CRL file which is published periodically by the CA (e.g. every 8 hours) which has a validity period or using an Online Certificate Status Protocol (OCSP) endpoint. Certificates that have expired will not appear on a CRL.

All popular browsers support OCSP although Chrome has it disabled by default due to perceived latency problems (see Wikipedia OCSP entry).

The way browsers handle revocation checks is complicated. Netcraft have an excellent article on how browsers fudge the whole revocation checking process in order to speed up the browsing experience, although it is possible that things have changed since it was written over 12 months ago.

DodgyG33za
  • 765
  • 3
  • 6