CRL in Firefox & Thunderbird

Every Certificate Authority (CA) periodically issues a Certificate Revocation List (CRL). When a certificate is revoked, the new CRL is issued and published as soon as possible. This is the best practice very often used by CAs and it allows users to know about the possible security hazards as soon as possible. Users are expected to download a new copy of CRL at least before the older one is about to expire. However users typically do not care about CRLs at all. It is especially a problem when they are using a software such as Firefox & Thunderbird, a software which require that users manually setup URLs pointing to CRLs of all CAs which they are using. A typical user will never do that!

Asking users to setup all URLs manually isn't necessary. Every issued certificate should contain the URL pointing to the CRL. That allows downloading the CRL just before accepting a new connection. The following example shows how to get information about the CRL location from a X509 certificate presented by a HTTPS server.

$ openssl s_client -connect www.cesnet.cz:443 |\
  openssl x509 -noout -text |grep crl
URI:http://crl.globalsign.net/educational.crl

Automatic-CRL-Update-Preferences-thumb.png Yes, it can take some time on a slow line, but I would like to have the possibility to activate this feature in my clients especially in combination with some caching mechanism. But there is no chance to do this with Firefox & Thunderbird. The only thing I can do, is to setup each possible URL pointing to the CRL manually.

For this setting it is necessary to choose Edit -> Preferences -> Advanced -> Encryption -> Revocation -> Import. This long click path displays a window called "Automatic CRL Update Preferences". It looks nice. I have chosen to update CRLs once a day , that is frequently enough for most cases. I visited this window last time at 26th May 2008, now it is 16th Jun 2008 and Firefox still shows the same content in the window "Manage CRLs". CRLs are not automatically updated at all!

I tested this problem in Firefox 2.0.0.12, 2.0.0.14 and 3.0 RC1 and RC2. I also tested Thunderbird 2.0.0.12. All those revisions do not update CRLs at all!

This bug is very dangerous especially after the bug in Debian patch to Random Number Generator in OpenSSL was discovered.

Running Firefox & Thunderbird without CRL checking enabled is pretty dangerous. It is like driving a car without brakes.

Bug reports

Yes! Bug reports are filled in the Bugzilla. Check out #371522 and #417182. If you can, vote for fixing those bugs. It doesn't seem they have the high priority, maybe your vote can change that.

Workarounds

I got a simple idea how to workaround this problem. Firefox stores CRLs together with certificates in cert8.db. I thought that it should be possible to update cert8.db by an external script. The command crlutil -I -d ~/.mozilla/firefox/default.xyz -i CRL.r0.der really allows updating the CRL database, but only when Firefox isn't running.

The new version 3.0 of Firefox is using the new NSS library (version 3.12) which supports a shared certificate database. With this feature enabled it should be possible to update Firefox's CRLs automatically by a script. For more info check out web pages "NSS Shared DB Samples" and "Using the Certificate Revocation List Management Tool". I have had troubles to compile crlutil with the new NSS library, that is why I have not been able to test this.

Firefox 3.0 is now in RC3 and Thunderbird 3.0 is in alpha1 revisions. I'm not sure how long it will take until both of them are released as stable. I need some solution right now. Maybe OCSP is better implemented in both of them. I will try to get working OCSP daemon soon.