AIA Fetching technology for restoring chain of certificates

Authority Information Access (AIA) is a special extension in SSL certificates that contains information about the issuer of the certificate. This extension helps fetch intermediate certificates from the issuing certification authority. In case if server does not provide intermediate certificates, they could be downloaded from the link contained in the AIA field. This approach allows saving the certificate chain and performing an SSL certificate check, even if the server incorrectly configured. If user's client supports AIA Fetching, then user does not even aware of server configuration errors.

AIA intermediate fetching technology is currently supported by following browsers: Google Chrome, Internet Explorer and Safari. However, the AIA technology used for restoring chain of certificates is often being criticized because it encourages wrong servers’ configuration. Certificate chain would work as expected, even if intermediate certificates are not installed on the server. The main advantage of this approach is convenience for users. Nowadays, not all browsers support AIA Fetching technology. For example, it is still not implemented in Firefox.

Implementation of AIA intermediate fetching in Mozilla Firefox

Developers of the Firefox browser is not in a rush with the implementation of the AIA Fetching. According to recent analysis conducted by Mozilla experts, the overall percentage of SEC_ERROR_UNKNOWN_ISSUER errors in the case of AIA Fetching technology is still quite high.

The study based on the TLS Error Reports, with included responses from users who encountered the problem of Secure Connection Failed and provided their feedback to browser developers (using a special checkmark on the error page).

When AIA Fetching is enabled, the total percentage of certificate validation errors with unknown publisher of the certificate warning could be reduced by approximately 6%.

However, Firefox developers’ team is not ready to implement AIA Fetching, considering that incorrect configuration of the SSL certificate on the server is equivalent to the absence of any protection, which jeopardizes valuable user data.