Chrome turns its back on security standard

Google is right that digital certificate revocation checking is broken, but wrong to abandon the standard

Page 2 of 3

Google cites a number of reasons for getting rid of CRL and OCSP checking:

  • Revocation checking doesn't work because revocation links aren't included or the revocation sites aren't available
  • Revocation checking doesn't work because the browsers can't or don't enforce it
  • Revocation checking is a significant security vulnerability because attackers can intercept a revocation check and cause a fake failure that the browser will ignore
  • OCSP is slow, often adding up to a second to the website connection process

I don't buy the "revocation checking is too slow" argument. It's already being done on every single HTTPS-enabled website visited, and even though it might fail, the time to check is already allocated. More to the point, I don't know a single user complaining about slow connections to their HTTPS-enabled website. Plus, once you've visited a website that uses a digital certificate, the revocation check is cached, often for many days, so that subsequent visits don't undergo the same revocation check until the cache entry expires.

Nevertheless, Google is more concerned about the current revocation checking process not working and not having real value. Its fix is to replace online revocation checking with a local revocation list in Chrome that is updated as needed. The Chrome browser will check the local list each time revocation checking is needed. In order for this to work, digital certificate issuers (or trusted third parties) will need to send lists of revoked certificates to Google whenever new ones are added.

A few Internet browsers, including Chrome and Internet Explorer, already use local revocation lists. Microsoft uses both local and remotely checked revocation lists. What is changing is the fact that Chrome will no longer use the remote methods for standard revocation checking, although it may continue to do so for the more highly trusted Extended Validation (EV) certificates. Further, the updates to the local revocation list will be able to take effect without restarting Chrome; currently a restart is needed for the new local revocation list to take effect.

Google's decision is disruptive in a number of ways. Chrome will be the only major browser that uses local revocation checking alone, departing from the industry standard. Google will have to make sure that revoked certificates are added promptly to its local lists to remain effective. This will put the burden on each certificate issuer to notify Google directly (using a custom format and procedure) to assure that Google blocks the certificate. Finally, Chrome's local revocation checking is being implemented in a nonstandard way, so there is no assurance that other applications will be able to use the updated list.

| 1 2 3 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies