Even revoking your certificates might not help against #MITM after #heartbleet

So you exchanged your keys and revoked all corresponding Certificates? - Turns out you (and your sites visitors) are still vulnerable to MITM by stolen keys!

At least if your CA (like ours) lets your (and your sites visitors) Browsers cache their Certificate Revokation List (CRL) for up to 7 days.

So even though the Certificate of https://mogis-verein.de:8443 is invalid, your browser will happily tell you it isn't.

So until the caching timeout for the CRL (that did non contain the revokations for our keys) comes around our site visitors are still vulnerable to MITM by the old (and probably leaked) keys.

Dear Rapid SSL, Thanks - for nothing! At least in this time of crisis you could have shortened the caching time to a few hours, so that certificates get invalidated faster

shitty_revocation

The relevant data:


Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
Last Update: Apr 14 13:03:00 2014 GMT
Next Update: Apr 24 13:03:00 2014 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:6B:69:3D:6A:18:42:4A:DD:8F:02:65:39:FD:35:24:86:78:91:16:30

X509v3 CRL Number:
98017
Revoked Certificates:
...
Serial Number: 0F9083
Revocation Date: Apr 14 07:30:47 2014 GMT
...
Serial Number: 11C5EA
Revocation Date: Apr 14 07:31:29 2014 GMT
...