Friday, October 3, 2008

Confused by an SSL related blog post

I subscribe to the Planet SysAdmin, an aggregation of Sys Admin related blogs via RSS (http://planetsysadmin.com/). Today, I came across a post that really confused me on what the author was trying to accomplish or explain.

http://utcc.utoronto.ca/~cks/space/blog/web/RevocableSSLNames

I'm hoping that one of you that is smarter than me gets it and maybe can explain it to me. Using his example of online banking, I look at my bank and it looks like the cert is probably handled by a load balancer; or maybe explained in his second case, an HTTPS Proxy server. He discusses revoking the cert by changing the host name.

A) How would that help when I have a bookmark to https://onlinebanking.example.com?
B) and wouldn't you revoke the compromised cert with the certificate issuer anyways?

The only thing I could think of is he's discussing SSL on both ends of his proxy (web client to proxy, proxy to application server). But in that scenario, the only thing that is apparent to the end user is the SSL cert to the proxy which would have to be revoked by the certificate issuer if compromised.

Or, I'm missing something entirely...

3 comments:

Ben Sherman said...

I think he doesn't understand that you can revoke a cert - it looks like he's saying you'd want to revoke the domain if the cert itself got compromised, not realizing that this is the whole point of third party verification.

cks said...

The problem is that SSL certificate revocation doesn't work in practice (at least for web browsers). It's hard to see how it could be made to work, since most any way to do it both slows down https browsing and puts a significant additional (uncompensated) bandwidth load on the certificate authorities. (Some ways also let the SSL CA snoop on what https websites you are visiting, which is sure to be popular with all sorts of people.)

I sort of alluded to this in passing in an earlier entry, but I should have said something more explicit about it (or at least found a good summary and linked to it.)

Reamer77 said...

It appears I should've asked the author. Talking with another sys admin offline, it appears that American Express kind of implements what he mentions.