msgbartop
All about Google Chrome & Google Chrome OS
msgbarbottom

14 Apr 12 Chrome’s False Start lives up to its name: web security gets slower (but more …


In 2010, Google claimed it had a way to significantly reduce the time it took to load encrypted websites, and in 2011, it proclaimed success: “False Start” reportedly reduced the latency of SSL handshakes for users of the Google Chrome browser by 30 percent. The only problem was that the company couldn’t find a way to make it work with all such websites, only about 95 percent, and those that didn’t work couldn’t fail reliably enough that Google could add them to a blacklist or refused to fix their incompatibility. That’s why Google security researcher Adam Langley announced that starting in version 20 of the Chrome browser, False Start will be turned off by default… and why the Google initiative will likely join the ranks of other tech industry in-jokes like Digital Rights Management and Microsoft Works.

Article source: http://www.theverge.com/2012/4/14/2947644/chromes-false-start-lives-up-to-its-name

Tags: , , ,

14 Feb 12 Chrome turns its back on security standard





Google is right that digital certificate revocation checking is broken, but wrong to abandon the standard

Follow @rogeragrimes

I’m still trying to wrap my head around Google’s surprising revelation (in Google engineer Adam Langley’s blog) that it will disable online certificate revocation checking in a future version of the Chrome browser. Standard across all the leading browsers, online revocation checking is the process of conducting a verification query of a certificate authority when presented with a new digital certificate tied to a particular website. Although the certificate revocation process is currently broken, as I’ll explain below, Google’s Chrome-only fix is problematic in a number of ways. And a much simpler fix — for Chrome and every other browser — is plain for all to see. 

When your browser connects to an HTTPS-protected website, it will examine the digital certificate the site presents, locate the revocation link pointer embedded in the digital certificate (if it exists), then query the indicated certificate authority to determine whether the certificate has been revoked by the issuer. Common reasons for revocation include a compromise of the certificate owner’s private key or just periodic certificate replacement, but a certificate can be revoked for any reason the issuer chooses. I’ve seen certificates revoked because the owner didn’t pay the issuer in a timely manner.

[ Roger A. Grimes offers a guided tour of the latest threats in InfoWorld's Shop Talk video, "Fighting today's malware." | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Revocation checking allows applications such as your Web browser to make sure that the presented certificate is still valid and a reliable vouchsafe for the site you’re visiting. As such, it is integral to PKI, and without it, maliciousness can occur. Unfortunately, revocation has often been neglected or ignored. Whether and how it’s done is completely dependent upon the “consuming” application or system. In many scenarios, revocation checking is so poorly implemented that it’s hard to say it’s being performed or provides any value.

For example, the digital certificates for many websites either don’t contain a revocation link pointer, or they point to a location that isn’t contactable. One presentation I saw at Black Hat Las Vegas a few years ago found that more than 90 percent of HTTPS-enabled websites didn’t implement digital certificates correctly. Not all of those failures were due to revocation issues, although a large number of them were.

Certificate revocation checking is broken
HTTPS revocation checking is so hit or miss that most popular browsers fail “open” — meaning that if the certificate’s revocation information cannot be confirmed, the browser will proceed as if the certificate were still valid. Worse, in most cases, the user isn’t aware that revocation checking doesn’t work. Many browsers can be configured to fail closed (that is, if revocation checking can’t be performed, then the browser won’t let the user connect to the protected website), but no browser vendor has the stomach to make this the default behavior. Many legitimate websites would become unreachable, and no browser maker wants to risk widespread user frustration.

All PKI and crypto experts understand the current problems with revocation checking, so it’s not just Google. However, Google is drawing a line in the sand to protect the users of its browser by stating that today’s generally accepted standards for doing digital certificate revocation, Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP), are too broken to fix.

Article source: http://www.infoworld.com/d/security/chrome-turns-its-back-security-standard-186362

Tags: , , ,

07 Feb 12 Google to strip Chrome of SSL revocation checking


Google’s Chrome browser will stop relying on a decades-old method for ensuring secure sockets layer certificates are valid after one of the company’s top engineers compared it to seat belts that break when they are needed most.

The browser will stop querying CRL, or certificate revocation lists, and databases that rely on OCSP, or online certificate status protocol, Google researcher Adam Langley said in a blog post published on Sunday. He said the services, which browsers are supposed to query before trusting a credential for an SSL-protected address, don’t make end users safer because Chrome and most other browsers establish the connection even when the services aren’t able to ensure a certificate hasn’t been tampered with.

“So soft-fail revocation checks are like a seat-belt that snaps when you crash,” Langley wrote. “Even though it works 99% of the time, it’s worthless because it only works when you don’t need it.”

SSL critics have long complained that the revocation checks are mostly useless. Attackers who have the ability to spoof the websites and certificates of Gmail and other trusted websites typically have the ability to replace warnings that the credential is no longer valid with a response that says the server is temporarily down. Indeed, Moxie Marlinspike’s SSL Strip hacking tool automatically supplies such messages, effectively bypassing the measure.

“While the benefits of online revocation checking are hard to find, the costs are clear: online revocation checks are slow and compromise privacy,” Langley added. That’s because the checks add a median time of 300 milliseconds and a mean of almost 1 second to page loads, making many websites reluctant to use SSL. Marlinspike and others have also complained that the services allow certificate authorities to compile logs of user IP addresses and the sites they visit over time.

Chrome will instead rely on its automatic update mechanism to maintain a list of certificates that have been revoked for security reasons. Langley called on certificate authorities to provide a list of revoked certificates that Google bots can automatically fetch. The time frame for the Chrome changes to go into effect are “on the order of months,” a Google spokesman said.

Article source: http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.ars

Tags: , , ,

07 Feb 12 Google to strip Chrome of SSL revocation checking


Google’s Chrome browser will stop relying on a decades-old method for ensuring secure sockets layer certificates are valid after one of the company’s top engineers compared it to seat belts that break when they are needed most.

The browser will stop querying CRL, or certificate revocation lists, and databases that rely on OCSP, or online certificate status protocol, Google researcher Adam Langley said in a blog post published on Sunday. He said the services, which browsers are supposed to query before trusting a credential for an SSL-protected address, don’t make end users safer because Chrome and most other browsers establish the connection even when the services aren’t able to ensure a certificate hasn’t been tampered with.

“So soft-fail revocation checks are like a seat-belt that snaps when you crash,” Langley wrote. “Even though it works 99% of the time, it’s worthless because it only works when you don’t need it.”

SSL critics have long complained that the revocation checks are mostly useless. Attackers who have the ability to spoof the websites and certificates of Gmail and other trusted websites typically have the ability to replace warnings that the credential is no longer valid with a response that says the server is temporarily down. Indeed, Moxie Marlinspike’s SSL Strip hacking tool automatically supplies such messages, effectively bypassing the measure.

“While the benefits of online revocation checking are hard to find, the costs are clear: online revocation checks are slow and compromise privacy,” Langley added. That’s because the checks add a median time of 300 milliseconds and a mean of almost 1 second to page loads, making many websites reluctant to use SSL. Marlinspike and others have also complained that the services allow certificate authorities to compile logs of user IP addresses and the sites they visit over time.

Chrome will instead rely on its automatic update mechanism to maintain a list of certificates that have been revoked for security reasons. Langley called on certificate authorities to provide a list of revoked certificates that Google bots can automatically fetch. The time frame for the Chrome changes to go into effect are “on the order of months,” a Google spokesman said.

Article source: http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss

Tags: , , ,