[cryptography] Chrome to drop CRL checking

Ben Laurie ben at links.org
Tue Feb 7 05:51:19 EST 2012


On Tue, Feb 7, 2012 at 9:56 AM, Marcus Brinkmann
<marcus.brinkmann at ruhr-uni-bochum.de> wrote:
> Hi,
>
>
> On 02/07/2012 03:52 AM, Steven Bellovin wrote:
>>
>>
>> http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.ars
>
>
> While I am no fan of CRLs, I think it's worth mentioning that Google's
> primary objective here does not at all seem to be the security of anything
> except their position in the race for the fastest browser:
>
> "online revocation checks are slow and compromise privacy. The median time
> for a successful OCSP check is ~300ms and the mean is nearly a second. This
> delays page loading and discourages sites from using HTTPS"
>
> This is a very backward way to say that a 300ms faster response time
> encourages people to use Chrome over competing browsers.
>
> The security argument itself seems very weak.  There is no evidence yet that
> the alternative strategy that Google proposes, namely letting them control
> the CRL list (and thus another part of the internet infrastructure), is any
> safer for the user in the long run.

The point is that using this mechanism means Chrome always has an
up-to-date revocation list - as it is now, revocation checking can be
blocked and Chrome will allow revoked certs as a result.

> Certainly the privacy concern that Google expresses "because the CA learns
> the IP address of users and which sites they're visiting" does not extend to
> Google itself, which already has much more detailed information about its
> users.

Since it is a push mechanism, Google does not get which sites the user
is visiting.

> With a dubious motive and no clear advantage over the existing
> infrastructure, I'm underwhelmed.
>
> Thanks,
> Marcus
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography



More information about the cryptography mailing list