[cryptography] Chrome to drop CRL checking

Marcus Brinkmann marcus.brinkmann at ruhr-uni-bochum.de
Tue Feb 7 04:56:34 EST 2012


On 02/07/2012 03:52 AM, Steven Bellovin wrote:
> http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.ars

While I am no fan of CRLs, I think it's worth mentioning that Google's 
primary objective here does not at all seem to be the security of 
anything except their position in the race for the fastest browser:

"online revocation checks are slow and compromise privacy. The median 
time for a successful OCSP check is ~300ms and the mean is nearly a 
second. This delays page loading and discourages sites from using HTTPS"

This is a very backward way to say that a 300ms faster response time 
encourages people to use Chrome over competing browsers.

The security argument itself seems very weak.  There is no evidence yet 
that the alternative strategy that Google proposes, namely letting them 
control the CRL list (and thus another part of the internet 
infrastructure), is any safer for the user in the long run.

Certainly the privacy concern that Google expresses "because the CA 
learns the IP address of users and which sites they're visiting" does 
not extend to Google itself, which already has much more detailed 
information about its users.

With a dubious motive and no clear advantage over the existing 
infrastructure, I'm underwhelmed.


More information about the cryptography mailing list