14 DAY TRIAL // No browser is perfect, but Heartbleed has put the focus on which ones are safer to use and which ones are having a hard time keeping up with the security standards.
In fact, Chrome seems to be at the top of the black list according to analysts over at Gibson Research Corporation who say that Chrome fails to flag hundreds of thousands of transport layer security (TLS) and secure socket layer (SSL) certificates revoked following Heartbleed.
They have a problem with Google’s CRLSet, a list that gets updated regularly to include the latest website encryption certificates that have been revoked recently. Because of Heartbleed, all sites that have patched up the OpenSSL vulnerability had to reissue their security certificates, but the old ones were not always revoked, which means that they can still be exploited.
GRC claims that CRLSet blocks 24,359 revoked certificates, which is less than 3 percent of all unexpired certificates that were formally recalled as untrustworthy. Furthermore, the Chrome list only blocks TLS credentials from 53 certificate authorities (CAs) out of 353 CAs trusted by Windows and 211 trusted by Mac OS X.
“Now we know that Chrome's CRLSet ignores the revocation warnings published by a large majority of the Internet's certificate issuers,” reads a post from GRC. The researchers then accuse Chrome of blindly trusting the rest of the 98 percent of the Internet’s revoked and not expired certificates. Furthermore, with new revocations being published every day, things are even more serious.
“We know that Chrome is blind to every one of the approximately 140,000 possibly-compromised certificates recently revoked by Globalsign on behalf of CloudFlare. Chrome trusts them all,” reads the announcement from the GRC.
“We know that the appearance of the entirely benign revoked.grc.com test, and news that the certificate for the cloudflarechallenge.com website had been revoked, threatened to reveal that Chrome would not automatically block those revoked certificates,” the analysts claim.
The entire analysis is quite troubling because these certificates are used by millions of websites from all over the world to prove that their servers are authentic and safe to use for data encryption so that traffic can’t be monitored.
The amount of certificates that have had to be reissued and revoked has spiked considerably since Heartbleed was exposed several weeks ago and this has made browsers a bit slower than usual. Even so, it looks like the worst has yet to pass.