Chrome’s revocation checking is DISABLED by default. Thanks to the law of “the tyranny of the default,” this is the setting virtually all Chrome users will have . . . because that’s the way it came. Chrome is the only web browser to disable certificate checking by default. Why? Everyone knows that Chrome is a speedy web browser. But very few know that this was a bargain made at the cost of security. Chrome’s engineers recommend to disable revocation checking because “all it does is slow things down.” They will be right . . . until they are very wrong.
edit: Sorry my information incomplete/wrong. I believe I enabled this setting when Heartbleed was revealed, but it seems Chrome has since removed this option. A quote from GRC's | SSL/TLS Certificate Revocation Awareness – Specific Implementations :
Whoa! It just got even worse. On May 7th, 2014, the Chromium (Chrome) developers decided that the checkbox option was confusing to users (see near the end of this page). So, to help the poor confused users, they first left Chrome’s external revocation disabled and have now removed the option to enable it. If you cannot find the checkbox to enable external revocation, that’s what happened to it.
This is from grc.com. I only linked to one of the four pages in my earlier post. It’s not that obvious that there are four pages, so I’d like to link to all of them here: