Video Screencast Help
Website Security Solutions

Stripping OCSP From Chrome Will Not Improve Browser Security

Created: 16 Feb 2012 • Updated: 18 Dec 2012
FranRosch's picture
+3 3 Votes
Login to vote

Symantec applauds Adam Langley's resolve to increase consumer safety on the web, however, his proposal to remove OCSP and CRLs in a future release of the Chrome browser is misguided and could potentially have dangerous implications. Mr. Langley argues that OCSP and CRLs do not work when needed, giving the example of a captive portal that requires you to sign in to an HTTPS site while blocking traffic to all other sites. This is a corner case that happens very infrequently. We argue that one shouldn’t discard OCSP and CRLs because they don’t work in a tiny fraction of cases.

Langley also expresses concern that the CA may experience downtime. Symantec has provided CRLs and OCSP responses with 100% uptime for at least the past 10 years. We serve over 3.5 billion OCSP lookups every day, allowing browsers to reliably receive real-time validation of SSL certificates. Rather than letting CAs off the hook, Symantec believes that CAs should be required to maintain high-availability certificate  status checking services, in line with the work that the CA/Browser Forum has done to raise the bar for certificate issuers.

His proposal to have the browser maintain a list of revoked certificates turns Google into a single point of failure, which Langley himself agrees is bad engineering practice. 

In fact, the real issue at hand lies in the 'soft fail' protocol currently used by browsers. When an error occurs in CRL or OCSP checking, browsers silently allow the user to proceed to the website, presumably to maintain the quality of the user experience. This client implementation flaw allows web sessions to continue without properly vetting the validity of the SSL certificate, sacrificing security for incremental performance improvement.

Symantec disagrees with Adam Langley's decision to strip OCSP and CRLs from future revs of Google Chrome, as it will serve as a security downgrade. We look forward to discussing this topic with our peers in the CA- Browser Forum in the coming weeks and to working collaboratively with the industry to develop a solution that works best for consumers and businesses.