OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Raghavendran H. (SSG) - CTD, Chennai. (raghavh_at_ctd.hcltech.com)
Date: Sat Sep 14 2002 - 06:58:39 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi Mike/List:

    I have the following observations to make regarding this issue:

    What I have done is this:

    1. We've created a SSL Test Certificate which has the CDP set to an HTTP URL
    (http://someserver.com/test.crl)
    2. We enable the Check for Server Cert Revocation in IE 6.0 with Q323759
    Patch (and also IE 5.0)
    3. We revoked the Server SSL certificate and generated a CRL and then
    published it at the above URL
    4. We then connect to the IIS Web Server.
    5. Our Observations are:
       1. IE seems to download the CRL to Temporary Internet Files using
    CryptRetrieveObjectByUrl::InetSchemeProvider interface
       2. However, it simply ALLOWS access to the web site.

    Why is this behavior? Can anybody please explain.

    Regards,
    Raghav

    -----Original Message-----
    From: Michael Howard [mailto:mikehowmicrosoft.com]
    Sent: Saturday, September 14, 2002 1:46 AM
    To: Raghavendran H. (SSG) - CTD, Chennai.; webappsecsecurityfocus.com
    Subject: RE: Do Browsers (IE) really check CRLs correctly?

    This is off by default in IE, and it looks at the CDP, assuming one is
    there :-)

    Go to Tools -> Internet Options -> check for server cert revocatio

    I assume you're using IE5+, BTW.

    Cheers, MH
    Writing Secure Code
    http://www.microsoft.com/mspress/books/5612.asp

    -----Original Message-----
    From: Raghavendran H. (SSG) - CTD, Chennai.
    [mailto:raghavhctd.hcltech.com]
    Sent: Thursday, September 12, 2002 9:59 PM
    To: 'webappsecsecurityfocus.com'
    Subject: Do Browsers (IE) really check CRLs correctly?

    Hello folks:

    I was working on somethings relating to SSL when I had this question:

    Do browsers primarily IE check for certificate revocation? If yes, do
    they do a static CRL checking or do they look for the CRLDP extension in
    the certificate and go and download the CRL from that particular URL and
    perform CRL checking.

    My initial analysis with a sniffer indicates no connection whatsoever to
    the URL mentioned in the certificate CRLDP extension field.

    Any insights is greately appreciated.

    Thanks and Regards,
    Raghav