Difference between revisions of "Failure to check for certificate revocation"

Jump to: navigation, search
(Related Vulnerabilities)
Line 67: Line 67:
* [[Failure to validate host-specific certificate data]]
* [[Failure to validate host-specific certificate data]]
* [[Key exchange without entity authentication]]
* [[Key exchange without entity authentication]]
* [[Failure to check for certificate expiration]]
==Related [[Controls]]==
==Related [[Controls]]==

Latest revision as of 13:16, 21 February 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 02/21/2009

Vulnerabilities Table of Contents


If a certificate is used without first checking to ensure it was not revoked, the certificate may be compromised.


  • Authentication: Trust may be assigned to an entity who is not who it claims to be.
  • Integrity: Data from an untrusted (and possibly malicious) source may be integrated.
  • Confidentiality: Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.

Exposure period

  • Design: Checks for certificate revocation should be included in the design of a system.
  • Design: One can choose to use a language which abstracts out this part of authentication and encryption.


  • Languages: Any language which does not abstract out this part of the process
  • Operating platforms: All

Required resources

Minor trust: Users must attempt to interact with the malicious system.



Likelihood of exploit


The failure to check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly malicious. The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync.

Risk Factors



In C/C++:

if (!(cert = SSL_get_peer(certificate(ssl)) || !host)
... without a get_verify_results

Related Attacks

Related Vulnerabilities

Related Controls

  • Design: Ensure that certificates are checked for revoked status.

Related Technical Impacts