On 10/10/16 08:15, Michael Ströder wrote: > Which "Chrome users"?
All of them as a collective body. Standard revocation doesn't hold up in an active attack scenario. If someone has control of your customers' internet connection sufficient that they can direct a request that was meant to go to your site to their site instead (to use their bad cert, which is now revoked), they can also blackhole the OCSP request. https://wiki.mozilla.org/CA:RevocationPlan is Mozilla's plan to fix this. I'm sure Chrome has one too. But simply turning on hard-fail OCSP without other ecosystem changes is not a runner - too many things break. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
