Google to strip Chrome of SSL revocation checking

http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.ars

http://www.h-online.com/security/ne...y-with-online-certificate-checks-1429487.html

 

I don't understand most of it but the change seems to require reliance on the automatic update mechanism. I don't know how many Linux users will be thrilled since their Chrome installations don't have the Windows-type differential updating system. Each Linux update is a download of the full install.

 

I'm not sure how it makes sense to remove something that "works 99% of the time" for a "300 millisecond" advantage. I thought the whole point of certificate checking was so that you DIDN'T need to download a list of certificates, it was maintained and updated "in the cloud".

The first comment by a "Contributing Writer" is interesting:

 

"Works 99% of the time, but only when you don't need it." Did you just miss the second half of the sentence?

The user who posted that is correct though, it should just stop being a soft-failure.

EDIT: That said, Google and other critics of the system make good points - it really isn't that useful and cutting a full second off of page load times is a fairly big deal. Still months away so we'll see how it all turns out.

 

So they're aiming for faster surfing and updating of CA's?

 

It has already happened to Chromium. Newest builds come with Check for server certificate revocation deselected. The browser now downloads a Certificate Revocation Lists file, which is stored in the browser profile.

To be honest, I prefer this approach. I've set a few different Chromium profile, specially for accessing my e-mail accounts, on the different services, and I've restricted communications only to the e-mail servers and nothing else. This included excluding communication with the CAs. This move by Google comes in hand.