CRLs are back, baby!

Lets Encrypt is to establish a platform that will support the revocation of digital certificates via Certificate Revocation Lists

Certificate authority Let’s Encrypt has announced plans to establish a platform that will support the revocation of digital certificates via Certificate Revocation Lists (CRLs).

The CRL approach to disavowing compromised digital identities was established many years ago but has largely phased been out over the last decade or more in favor of the Online Certificate Status Protocol (OCSP), owing to its burdensome impact on performance.

CRLs are comprehensive lists of digital certificates that have been revoked by a certificate authority (CA) before their expiration date, whereas the OSCP enables browsers to consult the CA’s OCSP service over a specific certificate’s status.

Back in vogue

The CRL approach has recently become fashionable again – like listening to albums on vinyl – thanks to recent browser security updates.

“By collecting and summarizing CRLs for their users, browsers are making reliable revocation of certificates a reality, improving both security and privacy on the web,” Let’s Encrypt explains in a blog post explaining how it is establishing an infrastructure to better support CRL-based digital certificate revocation.

Catch up on the latest encryption-related news and analysis

Certificates put the ’S’ – security – into HTTPS. Unless a workable certificate revocation system is in place, there’s no remediation for a website owner in cases where an attacker steals the digital certificate of their website.

Without revocation, the compromised credential remains valid until it automatically expires at the end of its lease – most often years after the initial attack.

This undesirable situation is a direct result of the shortcomings in the revocation process that Let’s Encrypt is seeking to address. Powered by changes in browser software and support by Let’s Encrypt, the rejuvenated CRL approach promises an effective mechanism to revoke web certificates once their legitimate owners realize they have been either leaked or stolen – a sadly not infrequent problem.

Digital certificate revocation is therefore less about setting up a secure website in the first place, and more about making your website secure again after it’s been hacked.

The Daily Swig asked Let’s Encrypt to comment on whether it was seeking to encourage wider adoption of this approach by other CAs or through standards bodies, among other questions.

No word back as yet, but we’ll update this story as and when more information comes to hand.

In a Twitter thread, web security expert Scott Helme analyzed the merits and potential drawbacks of Let’s Encrypt’s move and the wider advantages and trade-offs inherent in the browser-based CRL approach.

YOU MAY ALSO LIKE LastPass flags security incident after attackers stole source code, technical information