CertSentry
Comodo
CertSentry checks the revocation status of SSL certificates on
websites in real-time.
Once
installed, CertSentry is invoked whenever you run a application that
uses the standard Microsoft CryptoAPI.
The ambitions of the application
are two fold. Firstly, it is designed to implement effective, SSL
revocation checking on popular Windows software such as Chrome,
Internet Explorer, Dragon and Outlook. Secondly, CertSentry
represents an effort to discover more information about the health of
the current revocation checking infrastructure by collecting
statistics about the response times of Online Certificate Status
Protocol (OCSP) responders operated by Certificate Authorities
(CA's). Sharing the data gathered by CertSentry
with other CA's and major
browser providers will, we hope,
provide organizations like the Certificate Authority/Browser (CA/B)
forum with the information they need to implement a viable, long term
strategy regarding certificate revocation checks.
Key functionality and features:
- Once installed, CertSentry will become the default SSL certificate revocation provider for Windows. The host application loads censentry.dll into its process space whenever the host application requests a certificate revocation check. Host applications include browsers such as Dragon, Chrome and Internet Explorer and mail applications such as Microsoft Outlook.
- CertSentry will re-enable Online Certificate Status Protocol (OCSP) checking within Google's Chrome browser. OCSP checking was recently disabled by Google.
- CertSentry is also designed to gather statistics on the health of the current revocation checking infrastructure. No personal or identifying data about you or your Internet usage is included in these statistics. All that is revealed is the issuing (root) CA certificate involved in the OCSP check – not the end-entity certificate of the website in question. In other words, it informs us that a revocation check was made for a certificate on an (unknown) website and that the certificate was issued by Certificate Authority X. It also tells us whether the request was answered, the speed of the response and the type of response. It does not inform us of the URL of the website on whose behalf the check was initiated. The data we receive will be enough to compare and contrast the performance and availability of each CA's revocation servers. CertSentry is designed to send it's logs to the CertSentry server every 24 hours and they can be found at the following locations:
Windows Vista/7 C:Windowssystem32configsystemprofileAppDataLocalLowComodoCertSentry
- CertSentry also provides the option to 'hard fail' certificate revocation checks. Ordinarily, if a browser receives no answer to a revocation check then the browser simply assumes the certificate is valid (not revoked) and allows the connection to proceed. This is known as a 'soft fail'. On the other hand, browsers that are set up to 'hard fail' will treat this lack of response as meaning the certificate is invalid (revoked) and will block connections to the website. While soft fails obviously present a potential security issue, enabling a hard fail could lead to an increase in rejected connections if the OCSP responder operated by the CA cannot be contacted for technical reasons. By default, hard-fail is not enabled in CertSentry. To enable it, please add one of the following values to your Windows registry as as REG_DWORD type:
To enable "hard-fail" for all certificates from all CAs:
HKEY_LOCAL_MACHINE/SOFTWARE/COMODO/CertSentry/DefaultFailureMode (value "2")
Please restart your system to apply your changes.