Only Firefox is safe post Heartblead

Steve Gibson have a nice round-up where he explains how certificate revocation does work and why Chrome and Chromiums certificate revocation scheme doesn't work. I recommend to read both Steve Gibson's article on An Evaluation of the Effectiveness of Chrome's CRLSets and Adam Langley's in my opinion a bit missplaced answer Revocation still doesn't work.

How to be safe

  1. Use Firefox until Chrome is fixed.

  2. In Firefox enable hard fail on OCSP errors.

    Goto PreferencesAdvancedCertificatesValidation.

    Check When an OSCP server connection failes, treat the certificate as invalid.

Comments