Defending Against Compromised Certificates

Abstract: This guidance provides IT personnel with actionable information to defend against compromised CA and web site certificates, which could permit a malicious web server to impersonate the genuine one. Each operating system (OS) and browser may use different mechanisms to check and revoke trust in a certificate. Some use a Certificate Revocation List (CRL), while others use the Online Certificate Status Protocol (OCSP). Still others rely entirely on the issuance of software updates, whose prompt application remains fundamentally important. Variety also exists in how browsers handle certificate validation. Some query the OS certificate store, while others use their own certificate store and thus must be configured separately. Finally, note that some sites may become inaccessible when enforcing strict revocation checking.

Date Published:

Last Reviewed: 16 July 2015

Identifier: ADF-2012-1202


Dissemination Control: N/A

Length: 2 page(s)

Format: pdf

Type: Reference/Overview; Factsheet

Tags: Certificate; Certificate Authorities; Credential Management