Google to strip Chrome of SSL revocation checking

This is interesting. We certainly need change, but is this the way…

Google to strip Chrome of SSL revocation …

I would have expected switching to hard fail but it seems user experience wins again from security.

I do agree that ‘soft fail’ is useless tough.

we don’t agree with this approach.

This decision seems to be getting quite mixed reactions, so far. Basically, everything from, best thing they could have done, to, it’s a complete disaster.

do we know the reasons why people think its the best thing or a disaster? thx.

I’ve not found any ‘serious’ write-ups about the decision, yet, I’m sure we’ll see a few in the next day or so. Most of those in favour of the move by Google cite the deficiencies in OCSP, such as the limitations in the information checked, CA OCSP server unavailability, lack of encryption etc.

this is like saying " a door can be broken so lets remove it"…
instead they should be saying, how can we improve it!!!

That’s pretty much what the other camp are saying.

the assumption they have: Infrastructure is not possible to improve to an acceptable level.

our answer: unless we have clear supporting data, one cannot make this judgement.

Lets get the data, lets analyse if its good enough or not, if its not, identify what needs to be done to fix it…if what needs to be done to fix it is too much, then go with DNS based solution cos we know DNS works :slight_smile: