Certificate Revocation List Verification NOT Performed By SafeSquid Resulting In Security Risk.
Posted: Tue Apr 28, 2020 8:34 am
Hello all,
After doing some Research on Web Security I saw a flaw in SafeSquid with respect to CRL Checking and I have added the necessary details to explain The Problem Statement and the Solution.
--------------------------
Problem Scenario:
--------------------------
I have come across sites where the CA has Revoked their Certificate for the Following Reasons:
A) An Entity has Lost the Certificate Key[Private Key]
B) An Entity's WebServer got Compromised and the Private Key MIGHT be STOLEN
Both the above cases,
The Entity will Report to the CA, and the CA will Revoke the Previous Certificate and Issue a New One.
To do this: The CA while sign a NEW Certificate and Revoke the Older Certificate
C) An Entity has done some violation in providing Secure Services
In this case, also the CA Revokes the Certificate
[NOTE:
The CA when signing the Certificate also attaches a CRL List
Which Is used by Clients to Verify that the Certificate is Revoked or NOT
If the CRL List contains the ID of the Certificate More Specifically It contains the list of serial numbers for certificates ]
I have a List of Sites Where Certificates are Revoked
But still if we access them Via SafeSquid-SWG we will be able to access then which is a Security Risk and Might create problem in the Long Run.
----------------------------------------------------
LIST OF REVOKED CERTIFICATES
----------------------------------------------------
1. https://baltimore-cybertrust-root-revok ... icert.com/
2. https://revoked.grc.com/
3. https://global-root-g2-revoked.chain-de ... icert.com/
4. https://trusted-root-g4-revoked.chain-d ... icert.com/
5. https://ev-root-revoked.chain-demos.digicert.com/
6. https://ssltest24.bbtest.net/
-----------------------------
Proof Of Concept:
-----------------------------
SnapShots are Listed Below:
Accessing Certificate Revoked Website: revoked.badssl.com
-----------------------------------------------------------------------------------
Via Firefox Browser
---------------------------
Via SafeSquid-SWG
---------------------------
After doing some Research on Web Security I saw a flaw in SafeSquid with respect to CRL Checking and I have added the necessary details to explain The Problem Statement and the Solution.
--------------------------
Problem Scenario:
--------------------------
I have come across sites where the CA has Revoked their Certificate for the Following Reasons:
A) An Entity has Lost the Certificate Key[Private Key]
B) An Entity's WebServer got Compromised and the Private Key MIGHT be STOLEN
Both the above cases,
The Entity will Report to the CA, and the CA will Revoke the Previous Certificate and Issue a New One.
To do this: The CA while sign a NEW Certificate and Revoke the Older Certificate
C) An Entity has done some violation in providing Secure Services
In this case, also the CA Revokes the Certificate
[NOTE:
The CA when signing the Certificate also attaches a CRL List
Which Is used by Clients to Verify that the Certificate is Revoked or NOT
If the CRL List contains the ID of the Certificate More Specifically It contains the list of serial numbers for certificates ]
I have a List of Sites Where Certificates are Revoked
But still if we access them Via SafeSquid-SWG we will be able to access then which is a Security Risk and Might create problem in the Long Run.
----------------------------------------------------
LIST OF REVOKED CERTIFICATES
----------------------------------------------------
1. https://baltimore-cybertrust-root-revok ... icert.com/
2. https://revoked.grc.com/
3. https://global-root-g2-revoked.chain-de ... icert.com/
4. https://trusted-root-g4-revoked.chain-d ... icert.com/
5. https://ev-root-revoked.chain-demos.digicert.com/
6. https://ssltest24.bbtest.net/
-----------------------------
Proof Of Concept:
-----------------------------
SnapShots are Listed Below:
Accessing Certificate Revoked Website: revoked.badssl.com
-----------------------------------------------------------------------------------
Via Firefox Browser
---------------------------
- Revoked_Certificate_Handling_in_FireFox_Site_revoked.badssl.com.png (35.78 KiB) Viewed 1853 times
Via SafeSquid-SWG
---------------------------
- VIA_SAFESQUID_PROXY_Revoked_Certificate_Handling_in_FireFox_Site_revoked.badssl.com.png (179.98 KiB) Viewed 1852 times