Google Chrome to stop revocation checking of SSL certificates

Google developers have revealed that they are making changes to Google Chrome related to SSL certificate verifications.

Google Chrome to stop revocation checking of SSL certificates

The browser would no longer query certificate revocation lists and online certificate status protocol databases.

Instead, Chrome would rely on their own updated database of certificates that have been revoked for security reasons.

Google researcher Adam Langley spoke about this decision:

The problem with these checks, that we call online revocation checks, is that the browser can’t be sure that it can reach the CA’s servers. There are lots of cases where it’s not possible: captive portals are one. A captive portal frequently requires you to sign in on an HTTPS site, but blocks traffic to all other sites, including the CA’s OCSP servers.

If browsers were to insist on talking to the CA before accepting a certificate, all these cases would stop working. There’s also the concern that the CA may experience downtime and it’s bad engineering practice to build in single points of failure.

Therefore online revocation checks which result in a network error are effectively ignored (this is called “soft-fail”).

Leave a Reply