Easily test your browser's response to revoked certificates

https://revoked.grc.com/

Does anyone here watch or listen to Security Now!? It’s great.

Steve Gibson set up the above web page with a revoked certificate. Just see what happens when you try to visit the page, to see how your browser responds. It should issue a warning saying that the certificate has been revoked. If it doesn’t, that’s a security concern.

If your browser let’s you view the page above (https://revoked.grc.com/) you can read all about issue there. If it doesn’t (which is preferable) you can read all about it (and I think it’s interesting) here:

https://www.grc.com/revocation.htm

By the way, Chrome is focused on speed and seems to allow you to visit the page with no warnings. Firefox handles it much better and blocks it.

edit: It turns out this test may not be reliable for Chrome because they’ve manually added an exception for this site. Presumably because it’s embarrassing that Chrome’s system is essentially broken.
There are four pages about this on grc.com, linked to in this post further down. There’s loads of information there. Sorry I’ve made such a hash of presenting it here!:blush:

3 Likes

From GRC.com:

Google’s Chrome browser is the least certificate-secure browser on the Internet. It puts speed before security, so it is the only browser on the Internet to disable certificate checking by default.

Please let me know how you get on if you test Chrome. I tried just now on my pc, and it successfully warned me about the revoked cert. However, I seem to recall some time ago changing the default settings, so that it pays attention to revocations.

On chrome, can see the whole site

1 Like

Chrome’s revocation checking is DISABLED by default. Thanks to the law of “the tyranny of the default,” this is the setting virtually all Chrome users will have . . . because that’s the way it came. Chrome is the only web browser to disable certificate checking by default. Why? Everyone knows that Chrome is a speedy web browser. But very few know that this was a bargain made at the cost of security. Chrome’s engineers recommend to disable revocation checking because “all it does is slow things down.” They will be right . . . until they are very wrong.



edit: Sorry my information incomplete/wrong. I believe I enabled this setting when Heartbleed was revealed, but it seems Chrome has since removed this option. A quote from https://www.grc.com/revocation/implementations.htm :

Whoa! It just got even worse. On May 7th, 2014, the Chromium (Chrome) developers decided that the checkbox option was confusing to users (see near the end of this page). So, to help the poor confused users, they first left Chrome’s external revocation disabled and have now removed the option to enable it. If you cannot find the checkbox to enable external revocation, that’s what happened to it.



This is from grc.com. I only linked to one of the four pages in my earlier post. It’s not that obvious that there are four pages, so I’d like to link to all of them here:

https://www.grc.com/revocation.htm

https://www.grc.com/revocation/implementations.htm

https://www.grc.com/revocation/crlsets.htm

https://www.grc.com/revocation/ocsp-must-staple.htm

EDIT: It looks like you can’t fix this through the settings anymore…

You can change the default settings if you want more protection, but technically it slows down browsing a little.

Edit: forgot to say thanks for letting me know. It’s good to know how other people setups react.

Chromium ubuntu doesn’t even show such a checkbox :upside_down:

1 Like

Sorry, I hadn’t realised that the option has been removed from the settings.

I was on a crappy phone today, and the information I gave was patchy.

I’ve read a bit more and I’m confused. Get this! It turns out (according to this page) that:

In order to block the two known high profile revoked sites, which Chrome would have otherwise continued to display, the Chromium developers added a special-case to Chrome’s CRLSet. Not because Chrome’s CRLSet works . . . but because it doesn’t.

In other works they’ve manually added a block for https://revoked.grc.com/ because it’s embarrassing.

I don’t know why some people can access the site and some can’t though…

I’m going to edit my original post a bit now.

1 Like