Internet Explorer and revocation check failure

Internet Explorer normally warns you if the server you visit have any certificate issues.

Some examples:

The certificate has another Subject than the URL you used to access it:
image

The certificate was issued by a CA that your computer do not trust:image

The certificate is not time valid (not yet valid yet or, more common, has expired):
image

Another warning is when the certificate has been revoked by the issuing CA:
image

That last behaviour can be set by the following setting, although I do not recommend disabling it:
image

If there are multiple issues, all of them are listed:
image

One thing that IE does not warn you about however is when the CRL is unavailable. Note that this doesn’t mean that that the certificate is revoked, only that you do not know if it is.

This means that someone could trick you into trusting a revoked certificate by preventing your access to the CRL (by tricking the client to look in the wrong place or by some sort of Denial Of Service). Faking the CRL is not feasable, since it is signed with the issuing CAs private key.

This warning actually did exist in earlier versions of Internet Explorer but was removed in version 7. Since the inability to reach the CRL does not necessarily mean that the certificate has been revoked, many users complained that these notifications mostly were “false positives” so it was removed from the UI.

If you want to, you can use the FEATURE_WARN_ON_SEC_CERT_REV_FAILED setting to reenable this warning again in IE 7 and higher.

To enable this feature using the registry, add the name of the Internet Explorer executable file to the following setting (you might also need to create the key named FEATURE_WARN_ON_SEC_CERT_REV_FAILED):

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
SOFTWARE
Microsoft
Internet Explorer
Main
FeatureControl
FEATURE_WARN_ON_SEC_CERT_REV_FAILED
iexplore.exe = (DWORD) 00000001


The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000. If you run a 64-bit system you need to make the change here: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WARN_ON_SEC_CERT_REV_FAILED

The warning does not show a separate page as the other warnings do, instead the warning is visible in the the URL bar.

This is how it looks without the warning:
image

and here the warning is enabled:
image

Clicking the warning gives this information:
image

To simulate this CRL problems for google.se I added the DNS name of the CRL Distribution Point to the hosts file. I also added the OCSP path in the Authority Information Access:

127.0.0.1 pki.google.com
127.0.0.1 clients1.google.com

I found these names here in the google.se certificate:

imageimage

That’s it, please comment below if you have any questions and/or opinions!

Advertisements
This entry was posted in CA, Certificates, CRL, PKI. Bookmark the permalink.

One Response to Internet Explorer and revocation check failure

  1. Pingback: Can disabling Delta CRL on a CA cause problems? | Microsoft Security Solutions

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s