Certificate revocation and browsers

Discussion in 'privacy technology' started by BoerenkoolMetWorst, Apr 14, 2014.

Thread Status:
Not open for further replies.
  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Due to Heartbleed, Cloudflare has setup a site to check if your browser warns about a revoked certificate:
    https://www.cloudflarechallenge.com/heartbleed

    Tested browsers on the blog(http://blog.cloudflare.com/certificate-revocation-and-heartbleed):

    Internet Explorer:
    Gives warning, but allows bypass by user.

    Safari:
    Gives warning, but allows bypass by user.

    Firefox:
    Gives warning, denies access.

    Chrome:
    Gives no warning, users have to enable "Check for server certificate revocation" in options.(Disabled by default.)

    I've checked a few browsers so far:

    Opera 12.16:
    Gives warning, denies access.

    Opera 20:
    Gives warning, denies access.

    iOS 7.1, Safari
    Gives no warning, no option to enable yourself

    If anyone posts their results here, I will add them to the second post.(I believe editing time for first/main post is limited.)
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Desktop

    Bitdefender SafePay browser
    Gives warning, but is a general warning, does not mention certificate has been revoked and allows bypass by user.

    Chrome:
    Gives no warning, users have to enable "Check for server certificate revocation" in options.(Disabled by default.)

    Chromium 36.0.1939.0
    Gives warning, denies access.

    Firefox:
    Gives warning, denies access.
    FF forks Seamonkey, Pale Moon and Cyberfox:
    Gives warning, denies access.

    Internet Explorer:
    Gives warning, but allows bypass by user.

    Maxthon 4.1.3.2000
    Gives warning, but is a general warning, does not mention certificate has been revoked and allows bypass by user.

    Opera 12.16:
    Gives warning, denies access.

    Opera 20:
    Gives warning, denies access.

    QupZilla 1.6.3
    Gives no warning, no option to enable yourself

    Safari:
    Gives warning, but allows bypass by user.


    Mobile

    Android 4.1.1, Builtin browser
    Gives no warning, no option to enable yourself
    Android 4.1.1, Opera Mobile Classic 12.16
    Gives warning, denies access.
    Android 4.1.1, Zirco browser 0.4.4 browser
    Gives no warning, no option to enable yourself

    Android 4.3, Builtin browser
    Gives no warning, no option to enable yourself
    Android 4.3, Chrome 34
    Gives no warning, no option to enable yourself
    Android 4.3, Firefox 28

    Gives warning, denies access.

    Android 4.4.2, Firefox
    Gives warning, denies access.

    iOS 7.1, Chrome
    Gives no warning, no option to enable yourself
    iOS 7.1, Ghostery Browser
    Gives no warning, no option to enable yourself
    iOS 7.1, Mercury Browser
    Gives no warning, no option to enable yourself
    iOS 7.1, Safari
    Gives no warning, no option to enable yourself
    iOS 7.1, Webroot SecureWeb
    Gives no warning, no option to enable yourself
     
    Last edited: Apr 17, 2014
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,068
    I've tested Chrome v.34 with default settings (without option "Check for server certificate revocation") and I couldn't get to that site. In attachment is printscreen of error.

    hqsec
     

    Attached Files:

  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Perhaps they have now added it to their own blacklist?
    "Instead, Chrome uses a proprietary method called CRLSets which relies on a pre-compiled list of revoked certificates."
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,068
    Thanks for answer. Enabling that option (revocation check) would still improve security if site is not on pre-compiled list.

    hqsec
     
  6. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    Pale Moon:
    PMcertTestA.PNG
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I get this with Opera 11.51 (Win XP):
     

    Attached Files:

  8. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    261
    Location:
    USA
    SeaMonkey 2.25 blocks it with an error message:
    SeaMonkey.png
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Thanks, added results.

    Situation on mobile OS looks depressing. Anyone here using Windows phone or BB?
     
  10. Reith

    Reith Registered Member

    Joined:
    Feb 2, 2013
    Posts:
    15
    I tested Firefox mobile on Android 4.4.2 and it gives the same error as the desktop version (gives warning & denies access).
     
  11. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Just tried this on my phone, running Android 4.3. Both Chrome (34.0.1847.114) and the old Android browser (which is set to show security warnings for sites) loaded the Coudflare page without a warning. But Firefox (28.0.1) gave a warning, like the desktop Firefox does.

    Really surprised that Chrome for Android did not handle this well.
     
  12. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    261
    Location:
    USA
    :Blocked by Opera Mobile Classic 12.16 on Android 4.1.1 with warning message. Allowed with no warning in built-in browser and Zirco 0.4.4 browser.
     
  13. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Thanks :)

    Very true. But this is a test server for trying to obtain private keys through Heartbleed. The certificate is not trusted because it has been revoked so people can now use it to test if your browser warns against revoked certificates.
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Heartbleed – You’re not finished yet (my bolding):
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Last edited: Apr 18, 2014
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Heartbleed: Revoke! The time is nigh!:
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  23. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Hmm, so I wonder if it's worth bothering with OCSP.
     
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I changed the link in post #16.
     
Loading...
Thread Status:
Not open for further replies.