Re: [SECURITY] [DSA 2939-1] chromium-browser security update

To: debian-security <debian-security@lists.debian.org>
Subject: Re: [SECURITY] [DSA 2939-1] chromium-browser security update
From: Michael Gilbert <mgilbert@debian.org>
Date: Sat, 31 May 2014 10:31:13 -0400
Message-id: <[🔎] CANTw=MP84m0OdYFSaZb2EZypRU4yfdSWYHXfOKPQAy=vi1CYCg@mail.gmail.com>
In-reply-to: <[🔎] 5389C0B1.7000600@affinityvision.com.au>
References: <E1Wqdh0-0004OL-5G@alpha.psidef.org> <[🔎] 5389A078.6050808@oles.biz> <[🔎] 5389C0B1.7000600@affinityvision.com.au>

On Sat, May 31, 2014 at 7:44 AM, Andrew McGlashan wrote:
> Does Chromium suffer from the Google decision to make use of OCSP
> impossible?  Therefore, an untrustworthy browser.

Basically, the answer is the design of certificate revocation is
fundamentally flawed, and Google have their own security model:
http://www.imperialviolet.org/2012/02/05/crlsets.html

That should not in any way lead to the conclusion that chromium or
google chrome are untrustworthy.  It just means that Google uses an
alternative approach to a fundamentally unsolvable problem.

Best wishes,
Mike

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 2939-1] chromium-browser security update
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

References:
- Re: [SECURITY] [DSA 2939-1] chromium-browser security update
  - From: Georgi Naplatanov <gosho@oles.biz>
- Re: [SECURITY] [DSA 2939-1] chromium-browser security update
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

Prev by Date: Re: [SECURITY] [DSA 2939-1] chromium-browser security update
Next by Date: Re: [SECURITY] [DSA 2939-1] chromium-browser security update
Previous by thread: Re: [SECURITY] [DSA 2939-1] chromium-browser security update
Next by thread: Re: [SECURITY] [DSA 2939-1] chromium-browser security update
Index(es):
- Date
- Thread