Name in API: tlscert_no_revocation
Severity: Low
Factor: Network Security
Summary
A TLS Certificate Without Revocation Control lacks mechanisms like CRL or OCSP to verify its validity. Without these checks, compromised certificates remain trusted, enabling attackers to impersonate websites.
How Does It Work?
- Revocation Mechanism: A Certificate Authority (CA) includes URLs in certificates for revocation checks (CRL or OCSP).
- CRL (Certificate Revocation List): The CA publishes a list of revoked certificates, which clients can download to check validity.
- OCSP (Online Certificate Status Protocol): Clients query the CA’s server in real-time to verify if a certificate has been revoked.
- Revocation Reasons: Certificates may be revoked for key compromise, domain decommissioning, or mis-issuance.
- Client Validation: Before accepting a certificate, clients (browsers, applications) verify if it’s revoked by checking CRLs or OCSP responses.
- Connection Blocked: If the certificate is revoked, the connection is refused or marked insecure by the client.
Why Is It a Risk?
Issuing certificates without revocation controls is a security risk because it prevents clients from detecting compromised or invalid certificates. Without revocation checks, a certificate that has been stolen, misused, or rendered obsolete could still be trusted, allowing attackers to impersonate legitimate servers. This exposes users to potential man-in-the-middle attacks, data breaches, and other security vulnerabilities.
Self Evaluation
You may validate the presence/absence of the expired certificate on the endpoint by using the following 3rd Party tools. All can be used to confront contradictory results. However, when comparing results, ensure that the endpoint scanned by each is the same information and matches the SecurityScorecard finding.
Sslscan
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null </dev/null | \
openssl x509 -noout -text | grep -A4 "Authority Information Access\|X509v3 CRL Distribution Points"
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.example-ca.com/example.crl
Authority Information Access:
OCSP - URI:http://ocsp.example-ca.com
CA Issuers - URI:http://certs.example-ca.com/example.crtIf the finding is valid, this command returns no output — no CRL Distribution Points and no OCSP URI in the Authority Information Access extension.
How to mitigate
Enable OCSP stapling, use trusted CAs, automate certificate renewal, regularly audit SSL/TLS configurations, and ensure revocation checks.
CRL - Certificate Revocation Lists
Configure web server to distribute CRL.
Ensure clients have configured to check CRL automatically.
OSCP - Online Certificate Status Protocol
Usage of OSCP is used to provide real-time revocation status checks.
Configure the webserver to respond to real-time OSCP requests.
Remediation
- The endpoint configuration has changed, and the certificate used on the endpoint has a CRL/OSCP URL, including in the revocation controls as mentioned above. => Select the finding and then click on the "Fixed" button, "technical_remediation".
- The endpoint has been closed, and therefore, the endpoint is unreachable(or serving a 400/404)
=> Select the finding and then click on the "Fixed" button, "technical_remediation". - After verification (using the methods above, for example), the endpoint defined in the finding does have a certificate updated and is contrary to what SecurityScorecard is stating.
=> Select the finding and then click on "Other resolutions" --> "I cannot reproduce this issue, and I think it’s incorrect," "false_positive."