[Pkg-chromium-maint] Bug#745646: Bug#745646: closed by Michael Gilbert <mgilbert at debian.org> (Re: Bug#745646: chromium: certificate revocation is not checked)
Giuseppe Iuculano
iuculano at debian.org
Wed Apr 30 17:22:25 UTC 2014
Hi,
On 30/04/2014 02:28, Vincent Lefevre wrote:
> No, Chromium developers tell users not to enable it, and consider
> it as an obsolete option that will be removed. Indeed, in case of
> real MITM attack, the attacker can block the OCSP server, in which
> case Chromium will silently consider the certificate as valid, and
> this is complete non-sense! Said otherwise, revocation checking in
> Chromium can work only when it is not needed. So, to do the real
> check, you must not enable this option, just rely on the CRLSet.
*Please stop to reopen this bug.*
That check is not enabled by default because it doesn't meaningfully add
to security. Benefits of online revocation checking are insignificant
and it compromises privacy (CA knows the IP address of users and sites
they are visiting).
Cheers,
Giuseppe.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 242 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20140430/5e347f71/attachment.sig>
More information about the Pkg-chromium-maint
mailing list