cURL / Mailing Lists / curl-library / Single Mail


Re: Fraudulent Certificates

From: Ben Noordhuis <>
Date: Thu, 24 Mar 2011 13:05:59 +0100

On Thu, Mar 24, 2011 at 09:22, Daniel Stenberg <> wrote:
> There's this incident that has been talked about the last couple of days
> where "an attacker" managed to get several fraudulent SSL certificates for
> public websites.
> Chrome and Firefox now both block these certificates explicitly.
> I assume there's reason for us to consider doing the same, to protect our
> users who might use libcurl to access such sites.
> I'll appreciate feedback and ideas.

The fraudulent certificates have been revoked. I think it's probably
better to check their revocation status through OCSP than it is to
retroactively blacklist them. Incidents like this happen time and time
again (though not often with such a high-profile CA) and a blacklist
is likely going to be perpetually outdated, even more so when you take
into account how much time it takes for upstream changes to make it
into the distros.

I don't think OpenSSL by default queries the revocation status (and
I've no idea if the other SSL engines support this) but all the
interesting bits are in <openssl/ocsp.h>.

OCSP does add overhead (an extra HTTP request) and is susceptible to
MITM attacks unless used properly. It should probably be combined with
CRLs but that's another can of worms.
List admin:
Received on 2011-03-24