Hi, On 02/07/2012 03:52 AM, Steven Bellovin wrote:
http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.ars
While I am no fan of CRLs, I think it's worth mentioning that Google's primary objective here does not at all seem to be the security of anything except their position in the race for the fastest browser:
"online revocation checks are slow and compromise privacy. The median time for a successful OCSP check is ~300ms and the mean is nearly a second. This delays page loading and discourages sites from using HTTPS"
This is a very backward way to say that a 300ms faster response time encourages people to use Chrome over competing browsers.
The security argument itself seems very weak. There is no evidence yet that the alternative strategy that Google proposes, namely letting them control the CRL list (and thus another part of the internet infrastructure), is any safer for the user in the long run.
Certainly the privacy concern that Google expresses "because the CA learns the IP address of users and which sites they're visiting" does not extend to Google itself, which already has much more detailed information about its users.
With a dubious motive and no clear advantage over the existing infrastructure, I'm underwhelmed.
Thanks, Marcus _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
