Chrome fails to check SSL certificate revocation on Android

This is another ridiculous fact about our beloved browser, the Chrome. At first, we now know that it doesn’t check for SSL certificate revocation by default, users need to turn on this setting manually as described here. On the other hand, Chrome on Android fails to check for certificate revocation completely, and connects users to a possibly malicious resource instead of the original and trusted resource.

 

chrome-mobile-ssl-certificate-revoke-check

 

Thankfully, there are few revocation aware browsers on Android including Mozilla’s Firefox which successfully detects SSL certificate revocation. Firefox shows a warning message and terminates connection when users try to open any secured website with revoked certificate.

 

firefox-mobile-ssl-revoke

 

Other notable ‘revocation aware’ mobile browser is Microsoft’s IE mobile on Windows Phone. It also doesn’t connect to the possibly malicious links and warns users (see the following screenshot).

ie-mobile-certificate-revoke-check

Users can check their browsers for security certification revocation awareness by visiting a special test page https://revoked.grc.com.

arpit

Posted by Arpit

Arpit is a web enthusiast watching browsers for long. He maintains several browser-based tools including many popular extensions. Follow Arpit on Twitter, or email him at editor@browsernative.com.
Post last updated on April 15, 2014.

You may also like ...

2 Responses

  1. Martin says:

    I have Chrome browser version 33.0.1750.21 on my iPod Touch, and it prevented my connecting to the grc revoked-cert site. Strangely, my brother has the same version of Chrome browser on his iPad, but that DID connect to the revoked site. And as far as I can see there are no settings in the lightweight iOS Chrome browser relating to SSL, so it appears we have identical Chrome browsers giving opposite test results!

  2. Steve Gibson says:

    Martin:

    First, about Android:
    What APPEARS to be emerging is that Chrome performs NO revocation checking on Android because, unlike Firefox, Chrome relies upon the the underlying OS for all certificate checking functions. See the last comment here from Ryan Sleevi, the developer who manages this:

    http://code.google.com/p/chromium/issues/detail?id=362710

    The iOS platform reportedly only performs certificate revocation checking for extended validation (EV) certificates. Since they are a tiny minority, Safari and other iOS browsers do very little.

    But Chrome on Safari uses its own “CRLset”, which is a list of automated and/or manually revoked certificates. My “revoked.grc.com” site was either automatically or manually added to that list a few days ago and the list is propagating. If you check again with your brother you’ll likely find that his instance of Chrome is now also blocking “revoked.grc.com”. But NOT because it’s blocking ALL revoked sites… only the one’s it has chosen to. (Which is also quite lame, IMO.)

    /Steve Gibson.

Leave a Reply

Your email address will not be published. Required fields are marked *