Certificate Revocation List Verification NOT Performed By SafeSquid Resulting In Security Risk.

[aashish97]

Hello all,

After doing some Research on Web Security I saw a flaw in SafeSquid with respect to CRL Checking and I have added the necessary details to explain The Problem Statement and the Solution.

--------------------------
Problem Scenario:
--------------------------

I have come across sites where the CA has Revoked their Certificate for the Following Reasons:

A) An Entity has Lost the Certificate Key[Private Key]

B) An Entity's WebServer got Compromised and the Private Key MIGHT be STOLEN 

Both the above cases,
The Entity will Report to the CA, and the CA will Revoke the Previous Certificate and Issue a New One.

To do this: The CA while sign a NEW Certificate and Revoke the Older Certificate


C) An Entity has done some violation in providing Secure Services  

In this case, also the CA Revokes the Certificate

[NOTE:
The CA when signing the Certificate also attaches a CRL List 

Which Is used by Clients to Verify that the Certificate is Revoked or NOT

If the CRL List contains the ID of the Certificate More Specifically It contains the list of serial numbers for certificates  ]


I have a List of Sites Where Certificates are Revoked
But still if we access them Via SafeSquid-SWG we will be able to access then which is a Security Risk and Might create problem in the Long Run.

----------------------------------------------------
LIST OF REVOKED CERTIFICATES
----------------------------------------------------

1. https://baltimore-cybertrust-root-revok ... icert.com/

2. https://revoked.grc.com/

3. https://global-root-g2-revoked.chain-de ... icert.com/

4. https://trusted-root-g4-revoked.chain-d ... icert.com/

5. https://ev-root-revoked.chain-demos.digicert.com/

6. https://ssltest24.bbtest.net/


-----------------------------
Proof Of Concept:
-----------------------------

SnapShots are Listed Below:

Accessing Certificate Revoked Website: revoked.badssl.com
-----------------------------------------------------------------------------------

Via Firefox Browser
---------------------------

Revoked_Certificate_Handling_in_FireFox_Site_revoked.badssl.com.png (35.78 KiB) Viewed 1855 times

Via SafeSquid-SWG
---------------------------

VIA_SAFESQUID_PROXY_Revoked_Certificate_Handling_in_FireFox_Site_revoked.badssl.com.png (179.98 KiB) Viewed 1854 times

[aashish97]

Accessing Certificate Revoked Website: grc.com
------------------------------------------------------------------

VIA Firefox Browser we see the below Browser Error.
---------------------------

Revoked_Certificate_Handling_in_FireFox_Site_revoked.grc.com.png (33.46 KiB) Viewed 1854 times

VIA SafeSquid-SWG we see the below Result.
---------------------------

VIA_SAFESQUID_PROXY_Revoked_Certificate_Handling_in_FireFox_Site_revoked.grc.com.png (89.9 KiB) Viewed 1854 times

-------------
Solution:
-------------

While Accessing the above Sites Via SafeSquid - Secure Web Gateway.I can access the sites easily which will be dangerous for the users and will also create problem like Security Breaches.
In order to overcome this problem.
We need to Add a CRL Validation Check which will Check if the Certificate is Revoked or Not to provide better Security.

Below are few links which provide indepth Importance and Need of CRL Check in Certificate Security.

The Importance of Checking for Certificate Revocation - CA Security
LINK: https://casecurity.org/2013/03/08/the-i ... evocation/

All other Secure Web Gateway does the CRL Check as it is very IMPORTANT.