CRLite+ – Lightweight Certificate Revocation Extension

Analyzed CRLs and OCSP limitations: CRLs are large and slow, OCSP adds latency and leaks privacy. Studied Mozilla's CRLite to understand cascaded Bloom filters. Requirements: sub-10ms checking, zero network roundtrips, privacy-preserving, Chromium-compatible.

Analysis revealed existing mechanisms fail to balance performance, privacy, and scalability. CRLite's approach provided the foundation for CRLite+.

• Identified core needs: low latency, privacy, scalability, Chromium compatibility
• Studied CRLite's cascaded Bloom filter approach
• Defined success: 100% accuracy, <1MB memory, negligible overhead

Three-component system: Python filter generator, Node.js backend for certificate retrieval, Chrome extension for enforcement. Cascaded Bloom filters: blacklist (revoked serials) + whitelist (eliminates false positives). Uses MurmurHash3 for performance, SHA-256 for certificate hashing.

Modular architecture enables independent optimization. Cascaded filters provide accurate, scalable checking with minimal memory overhead.

• Python generates static filter cascades
• Node.js backend manages certificates and revocation lists
• Chrome extension performs real-time validation
• Cascaded filters ensure zero false positives with minimal memory

Pipeline: Node.js backend creates raw TLS connections, extracts certificate serials, maintains revocation lists. Python processes data to generate static filter cascades. JSON endpoints enable extension-backend communication for live updates.

Pipeline separates static filter construction from dynamic updates, enabling efficiency and flexibility while keeping revocation lists current.

• Node.js fetches certificates via raw TLS, extracts serials with SHA-256
• Python generates cascaded filters from revocation lists
• JSON API enables dynamic updates without filter regeneration

Chrome extension (Manifest V3) intercepts certificates during TLS handshake, performs Bloom filter lookups, blocks revoked domains. Node.js backend manages revocation lists via REST API. Python generates filter cascades. Achieves 2-5ms checking overhead.

Fully functional extension with real-time revocation checking. Modular codebase enables efficient interception, fast lookups, and seamless blocking.

• Extension: certificate interception, cascade lookup (blacklist → whitelist), domain blocking
• Backend: raw TLS connections, certificate extraction, revocation list management
• Python: filter generation with configurable parameters

Simulated revocations by injecting trusted domains (github.com, uic.blackboard.com) to verify complete enforcement flow. Results: 100% detection accuracy, 2-5ms checking time, zero false positives. Iterations optimized filter parameters, reducing memory to <512KB (static) and <200KB (dynamic).

Evaluation confirms accurate revocation detection with minimal overhead. Iterations optimized parameters, resulting in a practical client-side revocation system for Chromium browsers.

• 100% accuracy across multiple domains and certificate types
• 2-5ms average checking time, negligible page load impact
• Zero false positives through cascade architecture
• Memory optimized: <512KB static, <200KB dynamic