After our latest deep-dive into legacy TLS certificates, we came up with some new ideas for additional checks, that we think will benefit our customers. We are therefore happy to present revoked certificate checking and misconfigured certificate chains as our latest analysis features.
During the lifetime of a TLS certificate its owners might find themselves in a situation where they need to revoke (meaning to declare it invalid) an otherwise valid certificate. Reasons for this can range from lost or compromised private keys to ensuring that a certificate just cannot be used anymore.
To support this the Online Certificate Status Protocol (OCSP) was devised. If supported by the Certificate Authority the certificate chain contains the URI of an OCSP Responder, in other words a server run by the CA that can be asked for the status of a given TLS certificate.
As OCSP is an optional part of TLS we treat it as such, meaning that we will only produce alerts if a certificate chain names an OCSP Responder and the OCSP response was an explicit "revoked". Other responses or not naming an OCPS responder will not produce an alert.
Using a revoked certificate on a public web server will lead to web browsers warning visitors that the provided certificate is invalid, potentially hurting customer experience. We therefore mark occurrences of revoked certificates as "Severe Risk", recommending immediate attention.
Misconfigured Certificate Chain
The optimal TLS configuration for a webserver provides the full certificate chain (intermediate certificates and the root certificate) to the client. To help with incomplete chains TLS has an extension called Authority Information Access (AIA for short). If provided, AIA holds information about where the next certificate in the chain can be found and downloaded.
If a web server is misconfigured and provides an incomplete certificate chain, a visitor's web browser can look at the AIA information and download the rest of the certificate chain to allow a successful certificate verification.
Fetching certificates based on AIA information impacts the perceived performance of your website due to the additional AIA requests to fetch missing certificates. However, falling back to AIA information will cause no browser warnings. We therefore mark occurrences of misconfigured certificate chains as "Medium Risk", indicating potential for improved performance and user experience that does not demand immediate attention.
We are always looking for ways to improve our services and hope that these additional checks and the additional insight provided by them will benefit the users across all our products.