The Heartbleed bug that came to light recently has sent the people responsible for internet and website security scrambling in order to correct the defect, and while the total costs are not in yet, one area that has seen a significant cost impact is among issuers of site security certificates.
In the normal course of things, browsers visiting sites over HTTPS perform a check using one of two site certificate revocation methods: Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL). For OCSP, the browser pings the certificate authority and asks whether a particular site’s certificate has been revoked.
For CRL, the browser pings the certificate authority (CA) and downloads a complete list of all the certificates that have been revoked by that CA. While the OSCP system uses much less bandwidth, it does result in many requests and back-end look-up requirements every time a request is received. CRL doesn’t generate as many requests, but as the number of revokes certificates becomes large, as happened with the Heartbleed flaw, the mammoth size of the list becomes a bandwidth hog.
A leading content delivery network and distributed domain name server service who has a working relationship with GlobalSign, a leading CA issuer, says that the number of revoked certificates in their CRL jumped from 1,492 to 133,243, and bandwidth usage went from 22 KB to 4.9 MB, and the activity of browsers downloading the GlobalSign CRL generated around 40 GBPS of net new traffic across the Internet, and a little back of the envelope calculation, assuming a global average price for bandwidth at around $10/Mbps, just supporting the traffic to deliver the revised CRL would have added $400,000 USD to GlobalSign’s monthly bandwidth bill, and that’s just one CA issuer.
Because security and the peace of mind of our customers is important to us, NationalNet was one of the first hosting companies to be aware of this bug and within one day we had scanned every server we manage and thanks to our security policies, we only found 12 servers affected out of the over 3000 servers we manage.