[cryptography] Chrome to drop CRL checking
ben at links.org
Tue Feb 7 05:51:19 EST 2012
On Tue, Feb 7, 2012 at 9:56 AM, Marcus Brinkmann
<marcus.brinkmann at ruhr-uni-bochum.de> wrote:
> On 02/07/2012 03:52 AM, Steven Bellovin wrote:
> While I am no fan of CRLs, I think it's worth mentioning that Google's
> primary objective here does not at all seem to be the security of anything
> except their position in the race for the fastest browser:
> "online revocation checks are slow and compromise privacy. The median time
> for a successful OCSP check is ~300ms and the mean is nearly a second. This
> delays page loading and discourages sites from using HTTPS"
> This is a very backward way to say that a 300ms faster response time
> encourages people to use Chrome over competing browsers.
> The security argument itself seems very weak. There is no evidence yet that
> the alternative strategy that Google proposes, namely letting them control
> the CRL list (and thus another part of the internet infrastructure), is any
> safer for the user in the long run.
The point is that using this mechanism means Chrome always has an
up-to-date revocation list - as it is now, revocation checking can be
blocked and Chrome will allow revoked certs as a result.
> Certainly the privacy concern that Google expresses "because the CA learns
> the IP address of users and which sites they're visiting" does not extend to
> Google itself, which already has much more detailed information about its
Since it is a push mechanism, Google does not get which sites the user
> With a dubious motive and no clear advantage over the existing
> infrastructure, I'm underwhelmed.
> cryptography mailing list
> cryptography at randombit.net
More information about the cryptography