Heartbleed, Check your CRL Settings
In the wake of the whole Heartbleed issue, I decided to check my web browsers to see what their CRL (Certificate Revocation List) settings were. Whether or not you understand the whole concept behind the Heartbleed issue, one thing you need to understand is that any site susceptible to Heartbleed will now need to revoke it's current SSL certificate in order to get a new one installed. Shockingly enough, it looks like most web browsers do not default to the proper settings to check certificates against the CRL's published by the Certificate Authorities who verify them.
Below follows instructions on how to set your browsers properly.
***Update: Steve Gibson at grc.com has graciously undergone the process of obtaining a pre-revoked certificate so that you can test the settings in your browser. Once properly configured, simply try accessing this link
***Update 04/21/2014: More good stuff from Steve Gibson....why all this might not really matter. CRL is broken.
https://revoked.grc.com
in your browser and it should stop you from doing so. If you access the site with nary a warning, then something isn't configured/working right.
Firefox
1.) Open Firefox
2.) Mac: Click Firefox --> Preferences --> Advanced --> Certificates --> Validation
Win: Click Firefox --> Options --> Options --> Advanced --> Certificates --> Validation
3.) In this area there is on option "Use....OCSP to confirm validity" that should already be checked. However, for best effort you will want to also check the option "When OCSP fails, treat connection as invalid" to help thwart any man-in-the-middle attacks that might stem from Heartbleed compromises.
Chrome
1.) Open Chrome
2.) Mac: Click Chrome --> Preferences --> Show Advanced Settings --> Under HTTPS/SSL enable Check for server certificate revocation
Win: Click on the three horizontal bars icon in the upper right --> Settings --> Show Advanced Settings --> Under HTTPS/SSL enable Check for server certificate revocation
Safari
1.) Safari actually runs off from Keychain Access settings so launch Keychain Access located in /Applications/Utilities/Keychain Access
2.) Click Keychain Access --> Preferences --> Certificates
Update!!!! I originally stated to set OCSP to Require for all Certificates and Priority to both but the App Store doesn't currently play well with those settings.
3.) Set Online Certificate Status Protocol to: Require if certificate indicates
4.) Set Certificate Revocation List to: Require for all certificates
***Note: for steps 3 and 4 you must hold down the Option key while clicking to enable the setting I suggest. Normally it will be greyed out.
5.) Set Priority to: CRL
Internet Explorer
1.) Open Internet Explorer
2.) Click on the gear in the upper right --> Internet Options --> Advanced
3.) Scroll down to the Security heading and make sure the option for Check for server certificate revocation is checked
Below follows instructions on how to set your browsers properly.
***Update: Steve Gibson at grc.com has graciously undergone the process of obtaining a pre-revoked certificate so that you can test the settings in your browser. Once properly configured, simply try accessing this link
***Update 04/21/2014: More good stuff from Steve Gibson....why all this might not really matter. CRL is broken.
https://revoked.grc.com
in your browser and it should stop you from doing so. If you access the site with nary a warning, then something isn't configured/working right.
Firefox
1.) Open Firefox
2.) Mac: Click Firefox --> Preferences --> Advanced --> Certificates --> Validation
Win: Click Firefox --> Options --> Options --> Advanced --> Certificates --> Validation
3.) In this area there is on option "Use....OCSP to confirm validity" that should already be checked. However, for best effort you will want to also check the option "When OCSP fails, treat connection as invalid" to help thwart any man-in-the-middle attacks that might stem from Heartbleed compromises.
Chrome
1.) Open Chrome
2.) Mac: Click Chrome --> Preferences --> Show Advanced Settings --> Under HTTPS/SSL enable Check for server certificate revocation
Win: Click on the three horizontal bars icon in the upper right --> Settings --> Show Advanced Settings --> Under HTTPS/SSL enable Check for server certificate revocation
Safari
1.) Safari actually runs off from Keychain Access settings so launch Keychain Access located in /Applications/Utilities/Keychain Access
2.) Click Keychain Access --> Preferences --> Certificates
Update!!!! I originally stated to set OCSP to Require for all Certificates and Priority to both but the App Store doesn't currently play well with those settings.
3.) Set Online Certificate Status Protocol to: Require if certificate indicates
4.) Set Certificate Revocation List to: Require for all certificates
***Note: for steps 3 and 4 you must hold down the Option key while clicking to enable the setting I suggest. Normally it will be greyed out.
5.) Set Priority to: CRL
Internet Explorer
1.) Open Internet Explorer
2.) Click on the gear in the upper right --> Internet Options --> Advanced
3.) Scroll down to the Security heading and make sure the option for Check for server certificate revocation is checked
Comments