Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Google Chrome will no longer check for revoked SSL certificates online

Google has decided to drop OCSP revocation checks from Chrome because they are inefficient and slow

Google plans to remove online certificate revocation checks from future versions of Chrome, because it considers the process inefficient and slow.

Browsers currently check if a website's SSL certificate has been revoked by its issuing Certificate Authority (CA) when trying to establish an HTTPS connection. These checks are done by querying CA-operated servers through a special protocol known as OCSP (Online Certificate Status Protocol).

The problem is that browsers can't always communicate with the validation servers because of various technical problems and when something like this happens, the HTTPS connections should not be established; at least in theory.

However, because these failures can have a serious usability impact, especially when CAs experience server downtime, browser vendors have decided ignore revocation checks that result in network errors. This is a referred to as a soft-fail.

"An attacker who can intercept HTTPS connections can also make online revocation checks appear to fail and so bypass the revocation checks," Google security engineer Adam Langley said in a blog post on Sunday.

"So soft-fail revocation checks are like a seat-belt that snaps when you crash," he said. "Even though it works 99% of the time, it's worthless because it only works when you don't need it."

This suggests that online certificate revocation checking doesn't add a lot of value to Web security in its current implementation. However, keeping it on comes at a significant cost -- browsing speed.

"The median time for a successful OCSP check is ~300ms and the mean is nearly a second," Langley said. "This delays page loading and discourages sites from using HTTPS."

After considering the drawbacks, Google decided to remove OCSP checks from future versions of Chrome and replace them with a local list of revoked certificates that can be updated without requiring a browser restart. Attackers could theoretically block the update process, but this will require more effort than blocking an OCSP revocation check, Langley said.

The security engineer invited CAs to voluntarily contribute their revoked certificates to the list by publishing them in a format and place that's accessible to Google's crawler.

Experts have raised serious questions about the security and reliability of the current SSL infrastructure during recent months, following security breaches at several CAs that resulted in rogue certificates being issued. Various proposals for improving or replacing the current system are being discussed.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: CA Technologies, CSP, etwork, Google
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: applications, browsers, Google, online safety, security, software
Latest Blog Posts
Whitepapers
  • Key Considerations in Modernising Your Backup and Deduplication Solutions
    There is a definite need for better data backup solutions in today’s enterprise data centers. The question is whether to continue with software-only backup and deduplication solutions, or to make the move to a purpose-built backup appliance with deduplication capabilities. This paper provides a structured approach to assessing the advantages of the appliance model. Read this whitepaper.
    Learn more »
  • Oracle Database 11g for Data Warehousing and Business Intelligence
    Oracle Database 11g is a comprehensive database platform for data warehousing and business intelligence that combines industry-leading scalability and performance, deeply integrated analytics, and embedded integration and data-quality -- all in a single platform running on a reliable, low-cost grid infrastructure. Read on.
    Learn more »
  • IDC Forecast: Worldwide Purpose - Built Backup Appliance 2011 – 2015, Forecast Update: Explosive Growth in 2011
    This IDC Forecast Update provides share positions for revenue and raw capacity for nine named PBBA vendors for the first half of 2011. In addition, this study provides the market size and a five-year forecast for the worldwide PBBA market as part of IDC's Storage Solutions coverage. The five-year forecast includes total factory revenue and raw capacity in terabytes through 2012. The worldwide PBBA market covers both open system-and mainframe-attached products.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.