On Tue, Feb 7, 2012 at 9:56 AM, Marcus Brinkmann <[email protected]> wrote: > Hi, > > > On 02/07/2012 03:52 AM, Steven Bellovin wrote: >> >> >> http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.ars > > > While I am no fan of CRLs, I think it's worth mentioning that Google's > primary objective here does not at all seem to be the security of anything > except their position in the race for the fastest browser: > > "online revocation checks are slow and compromise privacy. The median time > for a successful OCSP check is ~300ms and the mean is nearly a second. This > delays page loading and discourages sites from using HTTPS" > > This is a very backward way to say that a 300ms faster response time > encourages people to use Chrome over competing browsers. > > The security argument itself seems very weak. There is no evidence yet that > the alternative strategy that Google proposes, namely letting them control > the CRL list (and thus another part of the internet infrastructure), is any > safer for the user in the long run.
The point is that using this mechanism means Chrome always has an up-to-date revocation list - as it is now, revocation checking can be blocked and Chrome will allow revoked certs as a result. > Certainly the privacy concern that Google expresses "because the CA learns > the IP address of users and which sites they're visiting" does not extend to > Google itself, which already has much more detailed information about its > users. Since it is a push mechanism, Google does not get which sites the user is visiting. > With a dubious motive and no clear advantage over the existing > infrastructure, I'm underwhelmed. > > Thanks, > Marcus > > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
