CRLite - A Scalable System for Pushing All TLS Revocations to All Browsers

Explore a scalable system for pushing all TLS revocations to browsers in this 17-minute conference talk presented at the 2017 IEEE Symposium on Security & Privacy. Dive into CRLite, an efficient solution that addresses the limitations of current certificate revocation mechanisms. Learn how CRLite aggregates revocation information for all known, valid TLS certificates on the web and stores them in a space-efficient filter cascade data structure. Discover how browsers can periodically download and use this data to check for revocations in real-time without compromising security or privacy. Examine the prototype implementation processing certificates from various sources and its integration with a Firefox extension. Compare CRLite's performance to idealized browser revocation checking, and understand its low bandwidth requirements. Gain insights into topics such as TLS overview, certificate revocation lists, OCSP, browser support, Bloom filters, and the CRLite pipeline, demonstrating how complete TLS/SSL revocation checking can be achieved for all clients.

Intro
TLS Overview
Certificate Revocation Lists
Online Certificate Status Protocol
Browser Support
OCSP Stapling
Bloom Filters
Filter Cascade: Checking
CRLite Pipeline
Our Filter Cascade
Audit Log Distribution