[Pkg-chromium-maint] Bug#745646: closed by Michael Gilbert <mgilbert at debian.org> (Re: Bug#745646: chromium: certificate revocation is not checked)

Vincent Lefevre vincent at vinc17.net
Wed Apr 30 00:28:51 UTC 2014

On 2014-04-30 01:39:43 +0200, Andreas Cadhalpun wrote:
> Do you have 'Check for server certificate revocation' enabled in
> chrome://settings/?

No, Chromium developers tell users not to enable it, and consider
it as an obsolete option that will be removed. Indeed, in case of
real MITM attack, the attacker can block the OCSP server, in which
case Chromium will silently consider the certificate as valid, and
this is complete non-sense! Said otherwise, revocation checking in
Chromium can work only when it is not needed. So, to do the real
check, you must not enable this option, just rely on the CRLSet.

Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the Pkg-chromium-maint mailing list