How Heartbleed transformed HTTPS security into the stuff of absurdist theater

Aurich Lawson / Thinkstock

If you want to protect yourself against the 500,000 or so HTTPS certificates that may have been compromised by the catastrophic Heartbleed bug, don't count on the revocation mechanism built-in to your browser. It doesn't do what its creators designed it to do, and switching it on makes you no more secure than leaving it off, one of the Internet's most respected cryptography engineers said over the weekend.

Four people have been able to see server keys and certificates in a test.

Certificate revocation is the process of a browser or other application performing an online lookup to confirm that a TLS certificate hasn't been revoked. The futility of certificate revocation was most recently discussed in a blog post published Saturday by Adam Langley, an engineer who was writing on his own behalf but who also handles important cryptography and security issues at Google. In the post, Langley recites a litany of technical considerations that have long prevented real-time online certificate revocations from thwarting attackers armed with compromised certificates, even when the digital credentials have been recalled. Some of the considerations include:

"That's why I claim that revocation checking is uselessbecause it doesn't stop attacks," Langley wrote. "Turning it on does nothing but slow things down. You can tell when something is security theater because you need some absurdly specific situation in order for it to be useful."

Langley's blog post helps explain why Google Chrome by default doesn't have online revocation enabled. In the aftermath of Heartbleed, many people have counseled turning it on. That's because the OpenSSL bug allows attackers to pluck passwords, authentication cookies, and even private encryption keys out of the computer memory of vulnerable servers. In many cases, there is no way to know if the two-year-old flaw has been exploited. As a result, security experts have counseled people administering vulnerable websites to assume the key bound to their old TLS certificate is compromised. That has meant getting a new certificate and revoking the old one.

Online certificate checking is the mechanism many have assumed would prevent end users from trusting revoked credentials. Certificate revocation by sites remains a good idea, but in light of this weekend's post, end users shouldn't assume OCSP will do much to flag old compromised keys that may be presented by attackers.

An IETF proposal hopes to mend cracks in the Internet's foundation of trust.

The Heartbleed debacle is by no means the first event to underscore the inadequacy of current TLS revocation. A variety of researchers have proposed alternatives. One such fix, devised by cryptography experts Moxie Marlinspike and Trevor Perrin, is known as TACK. Another one was created by a developer from Red Hat and is dubbed Mutually Endorsing CA Infrastructure. Langley, meanwhile, held out something called OCSP Must Staple.

Those proposals and several others like them have largely languished in inertia. If there's a silver lining to Heartbleed, it may be that it provides the catalyst that the huge number of the world's engineers will need to finally fix one of the Internet's biggest security holes.

More:
How Heartbleed transformed HTTPS security into the stuff of absurdist theater