On a mission to solve communications security issues for the whole Internet. That, and drink coffee. Zola 2020-12-01T00:00:00+00:00 https://insufficient.coffee/tag/crlite/atom.xml 2020-12-01T00:00:00+00:00 2020-12-01T00:00:00+00:00 Unknown https://insufficient.coffee/2020/12/01/crlite-part-4-infrastructure-design/

<p>Firefox is the only major browser that still evaluates every website it connects to whether the certificate used has been reported as revoked. Firefox users are notified of all connections involving untrustworthy certificates, regardless the popularity of the site. Inconveniently, checking certificate status sometimes slows down the connection to websites. Worse, the check reveals cleartext information about the website you’re visiting to network observers.&hellip; </p>

2020-11-27T00:00:00+00:00 2020-11-27T00:00:00+00:00 Unknown https://insufficient.coffee/2020/11/27/auditing-crls-of-crlite/

<p>Since Firefox Nightly is now using <a href="/tag/crlite">CRLite</a> to determine if enrolled websites' certificates are revoked, it's useful to dig into the data to answer why a given certificate issuer gets enrolled or not.&hellip; </p>

2020-11-26T00:00:00+00:00 2020-11-26T00:00:00+00:00 Unknown https://insufficient.coffee/2020/11/26/querying-crlite/

<p>Firefox Nightly is now using <a href="/tag/crlite">CRLite</a> to determine if websites' certificates are revoked — e.g., if the Certificate Authority published that web browsers shouldn't trust that website certificate. Telemetry shows that querying the local CRLite dataset is much faster than making a network connection for <a rel="external" href="https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol">OCSP</a>, which makes intuitive sense. It also avoids sending the website's certificate information in cleartext over the network to check the revocation status: solving one of the remaining cleartext browsing data leakages in Firefox.

2020-01-21T00:00:00+00:00 2020-01-21T00:00:00+00:00 Unknown https://insufficient.coffee/2020/01/21/crlite-part-3-speeding-up-secure-browsing/

<p>CRLite pushes bulk certificate revocation information to Firefox users, reducing the need to actively query such information one by one. Additionally this new technology eliminates the privacy leak that individual queries can bring, and does so for the whole Web, not just special parts of it.&hellip; </p>

2020-01-09T00:00:00+00:00 2020-01-09T00:00:00+00:00 Unknown https://insufficient.coffee/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/

<p><a rel="external" href="https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland17.pdf">CRLite</a> is a technology proposed by a group of researchers at the <a rel="external" href="https://www.ieee-security.org/TC/SP2017/">IEEE Symposium on Security and Privacy 2017</a> that compresses revocation information so effectively that 300 megabytes of revocation data can become 1 megabyte.

2020-01-09T00:00:00+00:00 2020-01-09T00:00:00+00:00 Unknown https://insufficient.coffee/2020/01/09/crlite-part-2-end-to-end-design/

<p>CRLite is a technology to efficiently compress revocation information for the whole Web PKI into a format easily delivered to Web users. It addresses the performance and privacy pitfalls of the Online Certificate Status Protocol (OCSP) while avoiding a need for some administrative decisions on the relative value of one revocation versus another.&hellip; </p>

2018-12-04T00:00:00+00:00 2018-12-04T00:00:00+00:00 Unknown https://insufficient.coffee/2018/12/04/making-https-revocations-work-crlite/

<p>I gave a lightning talk at our Mozilla All-Hands meeting about <a rel="external" href="https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland17.pdf">CRLite</a>, a new technology for delivering revocations for the Web PKI to all clients in a very compressed form.

2017-12-04T00:00:00+00:00 2017-12-04T00:00:00+00:00 Unknown https://insufficient.coffee/2017/12/04/countering-phishing-with-cryptography/

<p>At Mozilla's Austin All-Hands I gave a lightning talk about <a rel="external" href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API">Web Authentication</a>, which is our best technical solution to the scourge of phishing today.