Tag Archives: Firefox

How Browsers Handled Website with Revoked SSL Certificate

This incident of unauthorized Digital Certificates relating to Google issued by Indian CA has caused quite a scare among netizens. While we have to wait for the exact causes of this incident, I just thought of seeing how browsers handle websites with revoked certificates. The browsers I tested were Chrome, Internet Explorer, and Firefox. The website was:

https://nicca.nic.in/

While NIC CA’s website mentions that all Certificate issuing Operations have been shutdown for sometime , it still continues to use the invalid certificate.

Date 3rd July 2014 

Due to security reasons NICCA is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon. DSC application forms will not be accepted till operations are resumed and further instructions will be issued thereafter. Inconvenience caused is regretted. 

Here are the results with screenshots:

Chrome Version 35

Of the three browsers tested, Chrome stood out from a security perspective for its users by providing detailed information on why the connection may not be secure and also NOT providing an option to override and access the affected website. Clicking on More button provided technical details with regards to certificate information (revocation details in this case)

Revoked SSL Certificates Handling by Chrome

 

chrome ssl revoke details

Firefox Version 30

Firefox too provided detailed information on why the connection is untrusted. However Firefox also provided an option to ignore the warning, add an exception and continue to browse to the site. It would have been good if Firefox had blocked the Security Exception function and not allow the loading of the site. Not good practice in my opinion.

Firefox handles revoked SSL Certificate

 

firefox override ssl_revoke

 

NIC CA website

Internet Explorer Version 11

Of the three browsers, Internet Explorer provided the least technical information when trying to access the site with invalid certificate. All it says is the Certificate is revoked and even clicking on the More Information button hardly provides any details and instead directs to a IE help, which I could not figure out. However like Chrome, IE too did NOT  provide an option to add an exception and continue to browse, which is good from a security perspective.

Internet Explorer SSL Revocation