Google to strip Chrome of SSL revocation checking

[HeffeD]

Google's Chrome browser will stop relying on a decades-old method for ensuring secure sockets layer certificates are valid after one of the company's top engineers compared it to seat belts that break when they are needed most.

The browser will stop querying CRL, or certificate revocation lists, and databases that rely on OCSP, or online certificate status protocol, Google researcher Adam Langley said in a blog post published on Sunday. He said the services, which browsers are supposed to query before trusting a credential for an SSL-protected address, don't make end users safer because Chrome and most other browsers establish the connection even when the services aren't able to ensure a certificate hasn't been tampered with.

"So soft-fail revocation checks are like a seat-belt that snaps when you crash," Langley wrote. "Even though it works 99% of the time, it's worthless because it only works when you don't need it."

Read More

 

[HeffeD]

So it looks like user convenience trumps security...

Surely a hard-fail system is a better response?

 

[Hungry Man]

I think most people have agreed that a hard-fail system would be better. As said though this is months away from happening - we'll see what the final system holds.

As it stands now I don't much like the change. It's true though that revocation checks aren't that helpful.

 

[HeffeD]

It's true though that revocation checks aren't that helpful.

So maybe a better tactic would be to look at ways to improve the system so they would be more helpful? Google definitely has the resources and clout to propose alternatives.

 

[Hungry Man]

They are proposing an alternative. It's not like they're removing it but not replacing it. They're going to work with CAs to get the revocations and then push them out.

 

[pcjunklist]

The trouble is hackers are going after the CA providers so it doesn't really matter what chrome does when that happens. Updating the revocation list through chrome updates either means there will be a ton of updates or days of revoked CA's will exist. If they could create an auto-run realtime service that uses low system resources that could act as a revocation update for chrome could be an alternative.

 

[Hungry Man]

What you're talking about is the current system, essentially.

 

[pcjunklist]

it updates the list before your handed off to the site slowing the browser down. If you had a process running on the pc it could update the revoke list before the site address is even entered into the browser.

 

[Hungry Man]

And that's the proposed plan lol

 

[pcjunklist]

From what I gathered the CA revoke list will be attached to the chrome update, that only updates every couple of weeks when there is a new revision

 

[Hungry Man]

Oh. No, it will update whenever there is a revocation - of course.

 

[pcjunklist]

I gotta stop reading stuff half-ased. Right at the bottom of the page automatic update mechanism. I was thinking how bad of an idea it would be to roll it into the chrome release update.