[Pkg-chromium-maint] Bug#745646: chromium: certificate revocation is not checked
Giuseppe Iuculano
giuseppe at iuculano.it
Thu May 1 17:57:37 UTC 2014
tags 745646 unreproducible
notfound 745646 34.0.1847.116-2
severity 745646 normal
thanks
Il 2014-04-30 20:30 Jonathan Nieder ha scritto:
> However Vincent is right that the CRLSets[1] are a different mechanism
> than OCSP revocation checking and that CRLSet checking is enabled by
> default.
Yes, that's true, but I really can't reproduce this issue. In all my
installations, CRLset are updated correctly.
> If it is broken then that would indeed be a serious bug.
I don't think this would be a serious bug. You should consider CRLSet
only as "better than nothing".
Please try to find a real case where you are more secure with it but
consider that:
- CRLSet includes at most 2% of the revoked certificates currently
published by the Internet's certificate authorities
- updates to CRLSet appear to often take several days
- if an attacker can use a revoked certificate, he can intercept
traffic, so he could also intercept CRLSets updates
Cheers,
Giuseppe
More information about the Pkg-chromium-maint
mailing list