[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 2939-1] chromium-browser security update

On 1/06/2014 12:31 AM, Michael Gilbert wrote:
> On Sat, May 31, 2014 at 7:44 AM, Andrew McGlashan wrote:
>> Does Chromium suffer from the Google decision to make use of OCSP
>> impossible?  Therefore, an untrustworthy browser.
> Basically, the answer is the design of certificate revocation is
> fundamentally flawed, and Google have their own security model:
> http://www.imperialviolet.org/2012/02/05/crlsets.html
> That should not in any way lead to the conclusion that chromium or
> google chrome are untrustworthy.  It just means that Google uses an
> alternative approach to a fundamentally unsolvable problem.

Absolutely you cannot trust Google's method of placing a bandaid on the

There are about a days worth of revoked certificates in CRLset .. that
is far from sufficient for certs that can be up to 10 years old, albeit
most are 1 or 2 years.

OCSP is far superior than CRLset and even better when you force a
response to be required -- which is possible, but not default with Firefox.

We may see certificate stapling as an answer, but that won't be enough
if it cannot be certified to /require/ stapling in the cert itself.
There may be other solutions in time.

You are right in saying that the whole certificate revocations model is
flawed, but not as flawed as what Google is choosing to use in CRLset.
Quite simply, Google's response to this problem is a joke.


Reply to: