1

There are two ways of checking the status of a digital certificate:-

  1. Offline Authentication (CRL)
  2. Online Authentication (OCSP, SCVP)

Several browsers (like Mozilla Firefox) have given up the use of CRL over OCSP.

OCSP and SCVP are susceptible to MITM attacks.

Then which method is used a primary means of checking the status of a digital certificate?

Vasu Deo.S
  • 469
  • 5
  • 16

1 Answers1

3

OCSP is not susceptible per se to MITM attacks, but it does have other problems:

  • Most browsers used to soft-fail, e.g., if they couldn't get the OCSP response for some reason, it allowed the connection to go through. So the attacker only needed to block the OCSP response.
  • Privacy issues: an attacker can see the OCSP query going through and can gain some information about your browsing.

This is solved by OCSP stapling, where the server is responsible for getting the OCSP response and sending it to the client (stapling). There is also the must-staple extension that makes stapling mandatory, otherwise a MITM attacker that stole the server private key could just not staple the OCSP response.

Conrado
  • 6,614
  • 1
  • 30
  • 45