Tuesday, February 7, 2012

Chrome is dropping CRL checking

Google's Adam Langley explains why, and this Ars Technica article adds some more context.

As Langley says:

So soft-fail revocation checks are like a seat-belt that snaps when you crash. Even though it works 99% of the time, it's worthless because it only works when you don't need it.

While the benefits of online revocation checking are hard to find, the costs are clear: online revocation checks are slow and compromise privacy. The median time for a successful OCSP check is ~300ms and the mean is nearly a second. This delays page loading and discourages sites from using HTTPS. They are also a privacy concern because the CA learns the IP address of users and which sites they're visiting.

Seems like pretty good reasoning to me.

No comments:

Post a Comment