Don’t tell your think it is for the best!
After what seemed like a few hours looking over other blogs and what they were saying. I came to this blog post from Adam Langley’s Blog ImperialViolet. He is saying we shouldn’t even check that box to check for certificate revocation. I am going to try to explain why it is so vital that you enable it. Even if it is a soft fail we will still be far better protected than not to even have it on in the first place.
“So soft-fail is the only viable answer but it has a problem: it’s completely useless. But that’s not immediately obvious so we have to consider a few cases:“
After reading everything he has to say about the subject at hand, I’ve come to wonder what he is trying to say. Some of the things Adam talks about why not to enable SSL Certification check just seem moronic to say the least. Here are a few things I read and want to talk about:
“That’s why I claim that online revocation checking is useless – because it doesn’t stop attacks. Turning it on does nothing but slow things down. You can tell when something is security theater because you need some absurdly specific situation in order for it to be useful.”
It is more than useless, it was an old protocol that just needs to be retired but unfortunately we have had little reason to or even any want to. We can not keep accepting that these revocation system do anything but help either the governments or even the highly efficient hackers to gain valuable information about users. It isn’t like they have to do any more than write a script and be able to retrieve what ever they want. The problem with SSL is quite simply it wasn’t designed around security or proper encryption. It was designed for one purpose and one purpose alone to make people feel safe about giving out their credit cards and other such important information. This one comment we both agree on but I also think that having a soft fail option is a better option than not having one at all.
Google Wants Money
Your just telling users that you are telling them what is best for your interest not theirs. In one word, it really comes down to money and advertising. We know you make money on searches and if you this go through then you are more likely to start loosing even more money because you will have constant hard fails from sites and you May not be able to serve up ads for sites because of the hard fail. Users who do not even know about it will likely just go to sites that can’t be verified and think it is the their browser but it is the server that is causing the problem.
It’s all about numbers!
I am sure that OCSP Stapling isn’t all it is cracked up to be or even the perfect option. If your saying that it will stop all possible attacks and keep your identity safe, then your probably going to be wrong. I argue that nothing you do can keep your identity or even credit cards safe online. There will always be some one who can come up with a way to get that information they are so desperately wanting. Although by using this system we make it that much harder for them to sneak past the browser. Yes we can probably come up with stories of how it happened when that box was check but I will say it is less likely to happen because people are smarter than they once were. We’d also be able to keep track of newly discovered revoked certificates that were in the wild by using the OCSP Stapling along side a way to report to the browser developers that we have found an invalid certificate and we could strengthen our security even more. It is just theory but I am sure it would at least keep more people safe than doing nothing at all.
Finally, it isn’t the fault of the users who are the problem but how browsers have dealt with users who either do not know better or have not been educated on how to properly protect their identity. You should be making more impact on the end-user by teaching them about security and privacy settings than expect that you know what is best for them.