The decision to strip online certificate revocation checks from Chrome is misguided, Symantec says

Symantec says that Google and other browser vendors should help fix OCSP instead of giving up on it

Stripping OCSP (Online Certificate Status Protocol) and CRL (certificate revocation list) checks from Google Chrome could have dangerous implications because it will turn Google into a single point of failure, according to security vendor Symantec.

When accessing a website over HTTPS (HTTP Secure), browsers check whether its SSL certificate has been revoked by the issuing certificate authority (CA). This is done by querying the CA's OCSP responder or by checking its published certificate revocation list.

For usability reasons, all major browsers currently ignore OCSP and CRL requests that result in network errors by default, in what is known as a soft-fail mechanism. However, some of them do offer users the option to enable hard-fail, which triggers errors for every request that goes unanswered.

On Feb. 5, Adam Langley, a security engineer at Google, announced that Chrome will stop performing OCSP and CRL checks in future versions. Instead, these checks are to be replaced with a locally cached list of revoked certificates that will be kept up to date by Google.

The reasons behind the decision are related to performance and security issues. OCSP and CRL requests increase page load times and are susceptible to blocking by man-in-the-middle attackers or captive portals, websites commonly used by Wi-Fi access points to prevent HTTP connections before users authenticate.

"This is a corner case that happens very infrequently. We argue that one shouldn't discard OCSP and CRLs because they don't work in a tiny fraction of cases," said Fran Rosch, vice president of Trust Services and SSL at Symantec, in a blog post on Thursday.

"His [Langley's] proposal to have the browser maintain a list of revoked certificates turns Google into a single point of failure, which Langley himself agrees is bad engineering practice," Rosch said.

According to Rosch, the soft-fail mechanism currently used by browsers is the real issue, since it allows HTTPS sessions to continue without establishing whether the SSL certificate is valid or not. Symantec has maintained an uptime of 100 percent for its OCSP and CRL services for the past ten years, so CA-level downtime shouldn't be a concern, he said.

"OCSP clearly does not work today because all major browsers operate it in soft-fail mode. That needs fixing," said Ivan Ristic, director of engineering at security firm Qualys, via email. "My view is that Google should have first made an effort to fix the problem," he said.

Qualys plans to start a project called "Global OCSP Responder monitoring" which will track the availability of all OCSP responders and identify CAs with unreliable ones. "That would hopefully enable everyone to switch to hard-fail by default," Ristic said.

According to Ristic, the performance issues could be resolved with the help of a technique known as OCSP stapling, which involves the owner of a SSL certificate querying the CA's OCSP server periodically and caching a signed response. This response would then be served to clients directly without them needing to open a connection to a separate host.

"Even without OCSP stapling, browsers can start to display a web site and perform the check in the background, so there's not going to be an immediate performance impact," Ristic said. "They could hard-fail after a second or two, possibly preventing further interactions with the site."

Removing OCSP checks from Google Chrome might even have legal implications for users, who won't be able to claim warranties for damages resulting from the use of bad certificates if the software they rely on doesn't make an effort to check certificate revocation status, said Eddy Nigg, founder and chief technology officer of certificate authority StartCom, via email.

"Strictly speaking, Google as a relying party and software vendor might not be able to make use of the CA root certificates its browser currently uses, due to non-compliance to those relying party obligations," Nigg said.

Nigg agreed that the problem is the soft-fail mechanism implemented in browsers, which he described as a failure in itself. "It's rather the browsers that have fairly weak implementations at their side and don't try hard enough (and smart enough) in order to obtain a status response," he said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?