Hi, On 30/04/2014 02:28, Vincent Lefevre wrote: > No, Chromium developers tell users not to enable it, and consider > it as an obsolete option that will be removed. Indeed, in case of > real MITM attack, the attacker can block the OCSP server, in which > case Chromium will silently consider the certificate as valid, and > this is complete non-sense! Said otherwise, revocation checking in > Chromium can work only when it is not needed. So, to do the real > check, you must not enable this option, just rely on the CRLSet.
*Please stop to reopen this bug.* That check is not enabled by default because it doesn't meaningfully add to security. Benefits of online revocation checking are insignificant and it compromises privacy (CA knows the IP address of users and sites they are visiting). Cheers, Giuseppe.
signature.asc
Description: OpenPGP digital signature
