Google's Chrome Browser "Blindly" Trusting Heartbleed Affected Sites
How safe are you from Heartbleed? After the widespread security bug was discovered, many sites claimed to have safeguarded against it by resetting their OpenSSL cryptography. A new study takes a look at one of the more popular browsers in Chrome, noting it is nearly useless in spotting revoked certificates.
The problem within Chrome is CRLSet, which catalogs revoked security certificates. If a website has been compromised and had their security certificate taken away, CRLSet should know about it and give you a warning before proceeding. Gibson Research Corporation claims Google's CRLSet — used in lieu of the online certificate status protocol — misses about 98% of revoked certificates.
According to Gibson, Chrome is "blindly" trusting that others are doing their work. In a post on their website, they claim Chrome's CRLSet can only identify about 2% of the revoked certificates at best:
We know that Chrome's CRLSet includes at most 2% of the revoked certificates currently published by the Internet's certificate authorities. Chrome will blindly trust the remaining 98% of the Internet's revoked and not-yet-expired certificates. And, of course, new revocations are being published every day, 98% of which Chrome will never be aware of.
Gibson goes on to note Chrome only blocks revoked credentials from about 53 credential authorities. Microsoft recognizes about 353 CAa — Apple's Mac OS X identifies 211. Gibson also states roughly 140,000 certificates allowed by Chrome were from CloudFlare, which was among the first to have theirs revoked int he wake of the Heartbleed revelations.
What we can gauge from this is that a security standard — a real standard — must be arrived at soon. The issue with CRLSet revolves around transport layer security (TLS), and if one of the major browsers is only identifying 2% of compromised sites, that's just plain inadequate. When it comes to security, there simply shouldn't be disparate parties solving things their own way. There needs to be a call to arms, and a dissolving of egos.
Source: Ars Technica