No More SSL Revocation Checking For Chrome

New submitter mwehle writes with this bit from Ars Technica: "Google's Chrome browser will stop relying on a decades-old method for ensuring secure sockets layer certificates are valid after one of the company's top engineers compared it to seat belts that break when they are needed most. The browser will stop querying CRL, or certificate revocation lists, and databases that rely on OCSP, or online certificate status protocol, Google researcher Adam Langley said in a blog post published on Sunday. He said the services, which browsers are supposed to query before trusting a credential for an SSL-protected address, don't make end users safer because Chrome and most other browsers establish the connection even when the services aren't able to ensure a certificate hasn't been tampered with."

Why?

[John+Hasler]

...Chrome and most other browsers establish the connection even when the services aren't able to ensure a certificate hasn't been tampered with.

Why?

Re:Why?

[Spad]

Because otherwise (as I've discovered by switching it on in Seamonkey) about 20% of the time the connection to the CRL/OCSP server fails for whatever reason and so your site won't load, even though there's nothing wrong with its certificate.

Now you might argue that false positives are preferable to ignoring problems, but it does break the user experience pretty badly.

Re:Why?

[Richard_at_work]

Yes. Because if you are in a MITM position to inject your own compromised cert for site Y, then you are also in the perfect position to deny access to the cert validation servers to stop the validation happening.

The solution is more resilient servers and services, not eliminating the checking.

Re:Why?

[Imagix]

Now you might argue that false positives are preferable to ignoring problems, but it does break the user experience pretty badly.

And this is the problem with security. People want the security/safety.... unless it's inconvenient. And yes, there is something "wrong" with the certificate. It is unverifiable as to whether it is still valid. Which you asked it to do.

Re:Why?

[kbg]

"CRL/OCSP server fails for whatever reason".

No it fails because the server administrators for the CRL are incompetent morons. A CRL server is a mission critical server that should stay up 24-7.

If Chrome and other browsers would simply display an error page with text explaining the problem and point to the offending server, I am sure the problems would be fixed very quick.

Re:Why?

[kbg]

Yes it should. CRL server for X is mission critical and should always work. There is no excuse for it not working.

Re:Why?

If a CA cannot keep their uptime, they shouldn't be in the business. Part of the fairly high cost of certificate purchases is the fact the CA is going to run multiple, geographically distributed data centers with adequate server coverage. That, or hire a provider that has is ready/willing/able to do this.

It is just like banks -- if a bank's server failed causing a loss of transaction info for a period of time, nobody would care how hard it is to have 99.999% uptime -- the bank failed in its duties regardless of the reason (hardware failure, Internet issues, security issues, etc.) This is just the same with CAs and revocation.

Re:Why?

[Guppy06]

The real problem with false positives isn't that they are "inconvenient" but that they breed complacency. If 99% of the alerts you get are false, what are the odds you'll actually give enough due diligence to catch the remaining 1%?

Re:Why?

[Hentes]

They could load the site and simultaneously display a small warning, thus letting the users decide whether they want to trust it or not. Loading an untrusted is not a tragedy by itself.

Re:Being Google

[Ferzerp]

Except now Google is presenting itself as an authority on the status of certificates that it has no business doing so with to the users of chrome.

This is a bad thing.