Google and Facebook’s push for SSL affects x.509 infrastructure

With the rush for everyone to switch to SSL, including Facebook and Google, do you think that their x.509 CA’s (Thawte and DigiCert) are prepared for the huge extra load to their CRL servers?

Background

A Certificate Authority in x.509, also known as a CA, is an entity that signs a certificate to indicate that the certificate should be trusted if one trusts that CA. A Certificate Revocation List, also known as a CRL, is a list of certificates that were signed by a CA that should no longer be trusted.

When checking the chain of trust in a signed certificate, it’s important to query the CRL of a CA frequently, and preferrably each time an SSL session is established. More people using certificates in SSL signed by a specific CA means more Internet traffic to the CA’s CRL. Are the CAs prepared for the additional traffic caused by a massively large scale adoption of SSL?

Normally, I’d say “Hey, any trusted CA’s certs are just as good as Verisign’s”, but do Thawte and DigiCert have the infrastructure of the root nameserver guys, Verisign? Thawte maybe, but who’s even heard of DigiCert?

If Facebook and Google are the top two visited sites, and considering how many sessions there are, I imagine that these third party CRL servers are going to have to do a lot more ramping up due to extra traffic than Facebook and Google will due to the resource hit on using encryption.

Analysis

crl3.digicert.com is a CNAME for digicert.cachefly.net

The A name resolves to 205.234.175.175

Cachefly is a content delivery network (CDN) with edge servers in many locations. If they’re only doing DNS based request routing, the name oddly resolves to the same IP address from Michigan as from Texas. Perhaps they’re routing based on a cost algorithm, and the bandwidth is cheap from this edge server? A traffic dump didn’t show any transport layer request routing. At least they have a 100% uptime SLA, and DigiCert lists multiple CRL distribution points in their cert.

crl.thawte.com is a CNAME for crl.verisign.net

Okay, Verisign. I’m not so worried anymore. Verisign does do location based request routing on their self-managed CDN. Thawte didn’t think to list multiple CRL distribution points, though.

These CDNs can likely handle the additional traffic or scale to handle it. There is still some concern over business continuity which relies on only one service provider. Hopefully, they have contingent plans.

Conclusions

It may not be the end of the world for these CRLs, as they may be able to handle the traffic, but I imagine that x.509 certs from Verisign, Thawte, and especially DigiCert will likely go up in price as their traffic costs go up.

Additionally, the push to implement SSL by the two busiest web sites is going to be a good test of current x.509 CRL implementation. Whether the test will fail or not, CRL seems like a pretty weak link.

What do you all think?

Leave a Reply

Your email address will not be published. Required fields are marked *