Google’s Chrome browser “blindly” trusting Heartbleed affected sites
How safe are you from Heartbleed? After the widespread security bug was discovered, many sites claimed to have safeguarded against it by resetting their OpenSSL cryptography. A new study takes a look at one of the more popular browsers in Chrome, noting it is nearly useless in spotting revoked certificates.
The problem within Chrome is CRLSet, which catalogs revoked security certificates. If a website has been compromised and had their security certificate taken away, CRLSet should know about it and give you a warning before proceeding. Gibson Research Corporation claims Google’s CRLSet — used in lieu of the online certificate status protocol — misses about 98% of revoked certificates.