[cryptography] Chrome to drop CRL checking

Marcus Brinkmann marcus.brinkmann at ruhr-uni-bochum.de
Tue Feb 7 06:33:25 EST 2012


On 02/07/2012 11:51 AM, Ben Laurie wrote:
>> The security argument itself seems very weak.  There is no evidence yet that
>> the alternative strategy that Google proposes, namely letting them control
>> the CRL list (and thus another part of the internet infrastructure), is any
>> safer for the user in the long run.
>
> The point is that using this mechanism means Chrome always has an
> up-to-date revocation list - as it is now, revocation checking can be
> blocked and Chrome will allow revoked certs as a result.

I understood that, but that's just a story, not evidence.  A meaningful 
analysis will not focus on a single story (Schneier's "Hollywood 
plots"), but look at the issue from all angles and include some real data.

>> Certainly the privacy concern that Google expresses "because the CA learns
>> the IP address of users and which sites they're visiting" does not extend to
>> Google itself, which already has much more detailed information about its
>> users.
>
> Since it is a push mechanism, Google does not get which sites the user
> is visiting.

As written, that is a very misleading statement.  It's true that they 
don't get that data through the CRL mechanism.  But they still know 
which sites the user is visiting from several other mechanisms.  Google 
Chrome sends every letter typed into the URL or search box to Google 
Search, and Google Analytics keeps track in the background when you are 
not typing but navigating.  And that's just scratching the surface of 
the tracking and aggregation they are already doing.  On top of that, 
they can always turn the data mining screw if they need to.

That's not surprising of course (once you consider security economics), 
as a browser with strong privacy measures would undermine Google's 
business model and thus be a negative value proposition.  In contrast, 
for a CA it's the smarter business move to protect the privacy of the 
data collected.  The incentives are clear here and not in Google's 
favor.  The privacy argument is a red herring, and Google raising it is 
hypocritical.

Thanks,
Marcus



More information about the cryptography mailing list