Google Chrome protection for Heartbleed-hacked sites called “completely broken”

Aurich Lawson

Update: A few hours after this article went live, Google engineer Adam Langley published a blog post taking issue with the GRC characterization that Chrome's CRLSet is "completely broken." In the post, Langley said he has always been clear that the measure isn't perfect, but in any event, it's more effective than the revocation checks on by default in other browsers. "And yet, GRC managed to write pages (including cartoons!) exposing the fact that it doesn't cover many revocations and attacking Chrome for it." In fairness to Google a test performed after this article was published showed Chrome blacklisted the TLS certificate Ars revoked three weeks ago. The text of the article as it originally ran follows:

The ability of Google Chrome to block secure website connections compromised by the Heartbleed bug is "completely broken" because the browser by default detects less than three percent of the underlying digital certificates that have been revoked, according to a detailed analysis recently posted online.

The charge was leveled against CRLSet, a regularly updated list in Chrome that catalogs website encryption certificates that have been revoked recently. Last week, noted cryptography engineer and Google employee Adam Langley promoted CRLSet as an improvement over the online certificate status protocol turned on by default in most other browsers. Langley blasted OCSP as "useless" because he said it was trivial to bypass and threatened to harm the performance and stability of the overall Internet.

Read 11 remaining paragraphs | Comments