Google Rethinks Revocation
Google has decided in Chrome that they’re going to take a different approach to certificate revocation.
Revocation is a difficult task. It is difficult because it requires coordination between the CAs and the browsers to protect the end user, and that the event is definitionally unusual. An end user sees an actual revoked certificate only once in millions or billions of web fetches. The checks are time-consuming as well. Langley says that the median time of a successful check is about a third of a second and the mean is over a second.
There is also the issue of bugs, features, and just weird things that browsers do with revocation. Some don’t check, some check but don’t thoroughly examine the result, others will thoroughly check but only after the user turns the thorough checks on. Langley’s blog post of March 2011 on the subject is a good place to read, if you want more. There are even ways for a malicious attacker to easily mess with OCSP checks.
Furthermore, revocation checks are a privacy issue; the science of geo-locating an IP address is so good that any packet anyone sends pretty much says where they are.
Google’s solution is for them to get CRLs through their normal web crawling mechanisms, and then distribute them to the Chrome users through the mechanism that they use to distribute other security information such as malware links.
This is a fantastic idea, because it replaces a number of bad-to-mediocre mechanisms for getting certificate-related security information with one that proven to work. It also improves performance, network reliability, and end-user privacy.
There is a small cost, though. If I go to a site with a revoked certificate on my own before I receive a Google update, then I will accept the revoked certificate. But on the other hand, one of the reasons to shift to a new certificate management mechanism is that the old one doesn’t work reliably.
The only criticisms I can make of this are in how to make this work for all the browsers. We need the same idea working for Firefox, Safari, IE, Opera, and others in addition to Chrome. Of these people, only Microsoft has their own search engine.
In short, the problem I see is not that it is a bad idea, but how to turn it into an industry-wide standard.