14 Apr

Heartbleed + Chrome

The Solution

Heartbleed has made quite some headlines recently. If you’re using Chrome as your preferred browser (like me) you should check your settings for the following entry:





The Problem

Chrome (by default) does not check with the Certificate Authority (CA) if a certificate has been revoked, but uses an own process called CRLSets instead. In short: Google will push a compiled list of revoked certificates to Chrome, so that the browser does not have to contact the CA to check validity. This may be good for performance, but comes with a risk because the list may or may not be complete.

Background

A lot of website providers that used OpenSSL for encryption have now revoked their certificates (which are used for encryption) and issued new ones, because there might be a chance that their private keys have leaked out. Attackers  having the private key are able to decrypt any past and future traffic and impersonate the service at will, without anyone noticing.

Source: http://heartbleed.com/

2 thoughts on “Heartbleed + Chrome

  1. Pingback: Heartbleed | Thomas Bandixen

  2. Looks like you should leave the checkbox ticked for some time, since a lot of smaller services have still not upgraded their version of OpenSSL and renewed their certificate according to this article.

Leave a Reply

Your email address will not be published. Required fields are marked *