oSteve Gibson have a nice round-up where he explains how certificate revocation does work and why Chrome and Chromiums certificate revocation scheme doesn’t work. I recommend to read both Steve Gibson’s article on An Evaluation of the Effectiveness of Chrome’s CRLSets and Adam Langley’s in my opinion a bit missplaced answer Revocation still doesn’t work.
-
Listen to Security Now! episode 454 Certificate Revocation Part 2 in which Steve explains about both certificate revocation and Google’s CRLSets.
How to be safe ๐
-
Use Firefox until Chrome is fixed.
-
In Firefox enable hard fail on OCSP errors.
Goto Preferences โ Advanced โ Certificates โ Validation.
Check When an OSCP server connection failes, treat the certificate as invalid.
[Adam Langley]: