Security! Security! Security!
Posted Feb 27, 2012 9:04 UTC (Mon) by khim
In reply to: Security! Security! Security!
Parent article: Tracking users
How about Chrome removing OCSP checks for certificates? Apparently Chrome developers think speed is more important than security.
Interesting. You assume that OCSP is more secure then simple autoupdateable revocation list. Care to share the proof that it's indeed so? AFAICS Chrome's new scheme is much simpler and thus more robust - this means it's probably more secure, too.
Note that the very same article you link to deride raises important practical security concerns related to OCSP thus "it's so obvious that OCSP is better" just does not cut it: not only you should explain how will Firefox solve OCSP-related problems outlined in the article, you should explain what's unsecure in new Chrome's scheme, too. Soft-fail revocation checks are like a seat-belt that snaps when you crash (which is how OCSP is practically implemented in all browsers) does not inspire a lot of confidence.
Chrome doesn't sandbox plugins either -- since plugins are third-party software and need to access resources that Chrome doesn't know about, such as Flash local storage, webcam and whatnot.
Flash is actually sandboxed and Java plugin is at least checked for known-vulnerable versions - which is better then what Firefox is doing.
If you want to point to real problems with Chrome's security - then be my guest, let's talk about it, noone is perfect, but if your goal is just to spread FUD then please stop.
to post comments)