Chrome's lack of SSL revocation may expose users

Post by **FlyingPenguin** » Thu May 08, 2014 9:35 pm

There is an interesting pissing match going on between Google's security engineer Adam Langley, and Steve Gibson. A lot of security experts are on Gibson's side and, apparently, so is the CA Security Council, which is the international organization in charge of certifications and managing revocation lists.

This has all come to light because of the Heartbleed bug. Thanks to that, 140,000 SSL certificates have been revoked and replaced by their owners because there is no way of knowing if they were compromised, and since those certs have 2 year lives, most of them won't expire for another year.

In an ideal world you want your browser to check the revocation list before allowing you to connect to a site using a secure SSL connection, to make sure the certificate they are using has not been revoked. While it's difficult to do, it's not impossible for someone use a revoked certificate to setup a phone site (they would also need to compromise your DNS).

The problem is that cert revocation is badly broken. Most mobile browsers don't do it at all (on Android only Firefox does). Most that do, are configured to "soft-fail" which means if they can't reach the revocation server and confirm whether or not the cert is revoked, it will assume the cert is good. This is done to avoid false positives. Thus all an attacker would have to do (in addition to having a revoked cert and poisoning your DNS) is to prevent your browser from communicating with the cert's revocation server.

One browser that DOES do a "hard-fail" revocation test is Firefox, and apparently has done it for years.

Gibson and Cloudflare both setup test sites using revoked SSL certificates so people could test their browsers to see if they were performing revocation checks. You can test your browser yourself here at Gibson's site:
https://revoked.grc.com
You will get an error message about a revoked cert if your browser is checking the revocation list. You'll see the web page if it's not.

Chrome failed those tests originally, since it doesn't check the revocation list. Instead, Chrome manages it's own shorter list, which it periodically updates, and Google decides what certs are important enough to include in that list. That list is VERY short - so short that only 3% of the 140,000 certs revoked due to Heartbleed are on it.

When Google started getting complains from security minded users about this, they did something really sleezy: they hard-coded the GRC and Cloudflare sites into the last browser update. This allows Chrome to pass the test on these sites, which gives users a false impression that they are protected from other revoked sites.

Gibson called them out on this, and it's been fun to follow. Chrome defends their short revocation list because they feel it improves performance, and that the whole revocation system is badly flawed anyway and doesn't work. Gibson's point is that ANY protection (even flawed) is better than none, and that's what you get when you use Chrome.

Gibson admits this may not matter to most people, and no one has ever heard of a revoked cert being used in an exploit, but he points out that hackers and scammers (and intelligence agencies) are getting more and more creative all the time. His whole purpose in discussing the revocation system is to show that it IS flawed because most people don't even know about it, and he wants there to be more discussion about accelerating plans to implement a more secure revocation system tied in with a proposed secure DNS. Heartbleed has made this more important, and highlighted the fact that even without Heartbleed, several thousand certs are revoked every week for a variety of reasons.

Ars Technica has an article on the whole soap opera here:
http://arstechnica.com/security/2014/04 ... ly-broken/

Here's the CA Security Council's official response, where they don't look kindly on Google's less than thorough revocation system:
https://casecurity.org/2014/05/08/casc- ... -response/

If you REALLY want to understand all this, Gibson has done two podcasts on it discussing it in detail. Some of it - especially the first part - gets a little hard to follow if you have not been following his past podcasts that explain how encryption works, but even a layman should be able to understand what he's talking about.

He's discussed it in episodes 453 & 454:
https://www.grc.com/securitynow.htm

The episodes are close to 2 hrs each, but the first hour is about weekly security news and bulletins, and errata including discussion about Sci-Fi TV series and movies. The last half is about the main topic. Although the security news is very informative. I listen weekly just to keep up with what's going on security-wise.

Post by **FlyingPenguin** » Thu May 08, 2014 9:44 pm

LOL!

Steve posted this on his site. Some fan of the podcast photoshopped it.

Leo Laporte and Steve Gibson as Commander Riker and Captain Picard

This was not our idea. It was created by a fan of the podcast using GIMP (similar to
Photoshop). But as a work of extreme image manipulation, it came out surprisingly well.

Executioner · Post by **Executioner** » Thu May 08, 2014 11:46 pm

Interesting. I always question if Chrome was as secure as Fire Fox. I probably should install Fire Fox on my phone instead of Chrome.