Here's what we know:
This “revoked.grc.com” test was born from the revelation of the worrisome “Heartbleed” vulnerability that had existed in plain sight for two years without public awareness in the industry standard open source OpenSSL security suite. However, this special site is about more than that:
The security of connections between devices through the Internet depends upon “authentication” (being certain to whom we are connecting in an environment where we have no direct means of verifying) and “privacy” (being certain that our communications cannot be eavesdropped upon despite the fact that our data traffic may be travelling great distances outside our direct control). Those two security properties are assured only through the integrity of the Internet's security certificate infrastructure.
“Certificates” provide a means for web servers at
the far end of remote connections to verifiably
assert their identity across the Internet.
The security certificates that routinely assure the security of our Internet connections are among the most closely guarded and protected secrets any organization maintains. Because secrets are notoriously difficult to keep, and “certificates” are just a small file of binary data, the certificates used to assert a web server's identity routinely expire every two or three years. So even if a certificate were to somehow escape, it would “die” of its own age before long. The problem is that “long” is a relative term. In a world increasingly connected by beams of light, malicious forces can wreak tremendous havoc in seconds, let alone years.
The so-called “Heartbleed” vulnerability shocked the
Internet with the specter of mass certificate theft.
The normal life cycle for a security certificate is one where it successfully remains secret throughout the span of its two or three year life. Then, as its pending self-expiration approaches, it is replaced by a freshly minted certificate with another two or three year life span. The replaced certificate is digitally shredded so that even during its last days it cannot be maliciously abused. And so the cycle repeats.
But we all know that humans, and human computer programmers, are fallible. Mistakes will happen. What if an organization came to believe, or even suspect, that their prized secret certificate might have escaped from their control? With so much riding on a simple collection of bits, the Internet's designers recognized that there were many situations, perhaps most situations, where waiting several years for a possibly lost or stolen rogue certificate to expire was not an option. The danger and risk was just too great. We needed a means for killing off (invalidating, revoking, etc.) any certificate whose owner believed, for whatever reason, that they and those relying upon that certificate's assurances might be damaged through its abuse.
So, mechanisms for certificate “revocation” were created.
And now you understand the problem . . . or YOUR problem: The fact that you are viewing THIS PAGE, which was displayed “securely” using a deliberately revoked certificate, means that this web browser is either deliberately by design, or through misconfiguration, ignoring the Internet industry's deliberately designed and otherwise functioning certificate revocation system!
This means that this web browser will not detect and warn you if you
visit a fraudulent website that is using a revoked certificate that is
known to the REST of the Internet to be bogus. YOU won't know.
At the moment, and for the next several years, this potential danger is extreme, because many experts believe that the long unseen Heartbleed vulnerability, which affected approximately 17.5% of the Internet's websites, may have been used to steal those sites' security certificates. If, upon learning of Heartbleed, those sites took the responsible action of revoking their possibly-compromised certificates and having replacements reissued, and if those stolen certificates where then used to impersonate the once-vulnerable sites, this web browser WILL NOT DETECT AND WARN YOU that you are visiting a known-fraudulent website.
By April of 2017, all of the certificates which may have been stolen via Heartbleed will have died of old age, and the threat will diminish to normal levels. But fraudulent websites are always a threat. You need to be aware, especially for the next several years, that this defective web browser is ignoring the certificate revocation mechanisms that the Internet's designers put in place specifically to protect users from the persistent threat of rogue certificates.
If you are interested in learning what you can do about this, and to understand more about the situation and problem of security certificate revocation, please see these pages:
A special note of thanks to the great people at Digicert, GRC's carefully chosen and, we believe, the best certificate authority, who were gracious enough to work with us to create a special pre-revoked security certificate. Perhaps the first time this has ever been done!
Gibson Research Corporation is owned and operated by Steve Gibson. The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
|Last Edit: May 04, 2014 at 14:15 (351.72 days ago)||Viewed 168 times per day|