Certificate revocation and browsers

Due to Heartbleed, Cloudflare has setup a site to check if your browser warns about a revoked certificate:
https://www.cloudflarechallenge.com/heartbleed

Tested browsers on the blog(http://blog.cloudflare.com/certificate-revocation-and-heartbleed):

Internet Explorer:
Gives warning, but allows bypass by user.

Safari:
Gives warning, but allows bypass by user.

Firefox:
Gives warning, denies access.

Chrome:
Gives no warning, users have to enable "Check for server certificate revocation" in options.(Disabled by default.)

I've checked a few browsers so far:

Opera 12.16:
Gives warning, denies access.

Opera 20:
Gives warning, denies access.

iOS 7.1, Safari
Gives no warning, no option to enable yourself

If anyone posts their results here, I will add them to the second post.(I believe editing time for first/main post is limited.)

 

Desktop

Bitdefender SafePay browser
Gives warning, but is a general warning, does not mention certificate has been revoked and allows bypass by user.

Chrome:
Gives no warning, users have to enable "Check for server certificate revocation" in options.(Disabled by default.)

Chromium 36.0.1939.0
Gives warning, denies access.

Firefox:
Gives warning, denies access.
FF forks Seamonkey, Pale Moon and Cyberfox: Gives warning, denies access.

Internet Explorer:
Gives warning, but allows bypass by user.

Maxthon 4.1.3.2000
Gives warning, but is a general warning, does not mention certificate has been revoked and allows bypass by user.

Opera 12.16:
Gives warning, denies access.

Opera 20:
Gives warning, denies access.

QupZilla 1.6.3
Gives no warning, no option to enable yourself

Safari:
Gives warning, but allows bypass by user.


Mobile

Android 4.1.1, Builtin browser
Gives no warning, no option to enable yourself
Android 4.1.1, Opera Mobile Classic 12.16
Gives warning, denies access.
Android 4.1.1, Zirco browser 0.4.4 browser
Gives no warning, no option to enable yourself

Android 4.3, Builtin browser
Gives no warning, no option to enable yourself
Android 4.3, Chrome 34
Gives no warning, no option to enable yourself
Android 4.3, Firefox 28
Gives warning, denies access.

Android 4.4.2, Firefox
Gives warning, denies access.

iOS 7.1, Chrome
Gives no warning, no option to enable yourself
iOS 7.1, Ghostery Browser
Gives no warning, no option to enable yourself
iOS 7.1, Mercury Browser
Gives no warning, no option to enable yourself
iOS 7.1, Safari
Gives no warning, no option to enable yourself
iOS 7.1, Webroot SecureWeb
Gives no warning, no option to enable yourself

 

I've tested Chrome v.34 with default settings (without option "Check for server certificate revocation") and I couldn't get to that site. In attachment is printscreen of error.

hqsec

 

Perhaps they have now added it to their own blacklist?
"Instead, Chrome uses a proprietary method called CRLSets which relies on a pre-compiled list of revoked certificates."

 

Thanks for answer. Enabling that option (revocation check) would still improve security if site is not on pre-compiled list.

hqsec

 

Pale Moon:

 

I get this with Opera 11.51 (Win XP):

 

SeaMonkey 2.25 blocks it with an error message:

 

Thanks, added results.

Situation on mobile OS looks depressing. Anyone here using Windows phone or BB?

 

I tested Firefox mobile on Android 4.4.2 and it gives the same error as the desktop version (gives warning & denies access).

 

Just tried this on my phone, running Android 4.3. Both Chrome (34.0.1847.114) and the old Android browser (which is set to show security warnings for sites) loaded the Coudflare page without a warning. But Firefox (28.0.1) gave a warning, like the desktop Firefox does.

Really surprised that Chrome for Android did not handle this well.

 

:Blocked by Opera Mobile Classic 12.16 on Android 4.1.1 with warning message. Allowed with no warning in built-in browser and Zirco 0.4.4 browser.

 

Here's the SSL Labs report for that test page:
https://www.ssllabs.com/ssltest/analyze.html?d=cloudflarechallenge.com

"This server is vulnerable to the Heartbleed attack. Grade set to F. (Experimental)
This server's certificate is not trusted. Grade set to F."

Basically if a site was set up like that you wouldn't want to connect to it.

 

Thanks

Very true. But this is a test server for trying to obtain private keys through Heartbleed. The certificate is not trusted because it has been revoked so people can now use it to test if your browser warns against revoked certificates.

 

From Heartbleed – You’re not finished yet (my bolding):

 

Test site for certificate revocation: https://www.grc.com/revocation.htm.

 

From Understanding Certificate Revocation Checks:

 

From Enabling Certificate Revocation Checks in Google Chrome:

 

From Fixing Certificate Revocation:

 

From Heartbleed: Revoke! The time is nigh!:

 

Certificate revocation and the performance of OCSP

 

Plan for Improving Revocation Checking in Firefox

 

Hmm, so I wonder if it's worth bothering with OCSP.

 

How certificate revocation (doesn’t) work in practice

 

I changed the link in post #16.