|
|
|
|
|
|
by internetisthesh
4198 days ago
|
|
|
Chrome doesn't do full revocation checking by default. Instead they have a non-standard implementation called CRLset which handles specific revocations. To me, revocations is a fundamental part of PKI, so the fact that they don't do it makes me question how secure https really is with Chrome anyway. |
|
|
Chrome does revocations. They just don't use the standard mechanisms (which, BTW, you can enable if you want.) CRLsets are Chrome's revocation mechanism.
The problem with the standard mechanism is that if the browser can't reach the online revocation server, it trusts by default (fail-open).
The reason it fails open is that this (i.e., the lack of connectivity to revocation server) a pretty common case -- most captive portals, for example, would not work because they require HTTPS to sign in, while at the same time, disallowing any other network connectivity.
So, we now have a single-point-of-failure in the revocation server, which can be quite easily exploited by an attacker -- simply killing connections to this server will make browsers bypass the check.
The CRLset system closes this hole by periodically pushing revocation lists down to the browser, obviating the need for an online check. (Not to say that CRLset does not have its own problems. It does, but they're less severe.)