[cryptography] Chrome to drop CRL checking
marcus.brinkmann at ruhr-uni-bochum.de
Tue Feb 7 06:33:25 EST 2012
On 02/07/2012 11:51 AM, Ben Laurie wrote:
>> The security argument itself seems very weak. There is no evidence yet that
>> the alternative strategy that Google proposes, namely letting them control
>> the CRL list (and thus another part of the internet infrastructure), is any
>> safer for the user in the long run.
> The point is that using this mechanism means Chrome always has an
> up-to-date revocation list - as it is now, revocation checking can be
> blocked and Chrome will allow revoked certs as a result.
I understood that, but that's just a story, not evidence. A meaningful
analysis will not focus on a single story (Schneier's "Hollywood
plots"), but look at the issue from all angles and include some real data.
>> Certainly the privacy concern that Google expresses "because the CA learns
>> the IP address of users and which sites they're visiting" does not extend to
>> Google itself, which already has much more detailed information about its
> Since it is a push mechanism, Google does not get which sites the user
> is visiting.
As written, that is a very misleading statement. It's true that they
don't get that data through the CRL mechanism. But they still know
which sites the user is visiting from several other mechanisms. Google
Chrome sends every letter typed into the URL or search box to Google
Search, and Google Analytics keeps track in the background when you are
not typing but navigating. And that's just scratching the surface of
the tracking and aggregation they are already doing. On top of that,
they can always turn the data mining screw if they need to.
That's not surprising of course (once you consider security economics),
as a browser with strong privacy measures would undermine Google's
business model and thus be a negative value proposition. In contrast,
for a CA it's the smarter business move to protect the privacy of the
data collected. The incentives are clear here and not in Google's
favor. The privacy argument is a red herring, and Google raising it is
More information about the cryptography