Google Chrome removing OCSP


Whether or not this individual issue will negatively impact users, this baffling exclusion gives me little confidence in their other design decisions.

By taking the same view seatbelts are pointless because they don't prevent all road fatalities, Google Chrome has infamously removed support for OCSP. The protocol allows for HTTPS certificates to be "stapled" with a frequently updated assertion that the certificate is still valid. In light of heartbleed, you can see why this would be important.

All other major browsers default to soft fail, meaning that clients will assume certs are valid if they can't access a cert authority's OSCP server. Google asserts (heh) this is evidence that OCSP is broken, and Chrome would no longer be supporting it.

This is troubling. While soft fail and seatbelts aren't ideal, they're still better than nothing. Chrome users no longer have them.

The good news is they're being called out for it. From the Certificate Authority Security Council:

Google moved away from supporting OCSP without adequately informing Chrome users of this fact. Although IE and Safari also soft-fail if an OCSP response is not received, those browsers still use OCSP by default. The engineers creating those browsers apparently have not concluded that OCSP is broken. Even if revocation checking by OCSP isn’t 100 percent accurate, it can still protect a high percentage of users who navigate to a site with a revoked certificate and receive an OCSP response indicating revocation. Turning off revocation checking for everyone means that no one is protected.

For privacy minded users, Chrome was always questionable. Now I would put it with IE.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.