New issue
Advanced search Search tips
Starred by 16 users

Issue metadata

Status: WontFix
Closed: Apr 2014
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: ----

Sign in to add a comment

Android browser does not check for certificate revocation

Reported by, Apr 11 2014 Back to list

Issue description

Device name: Moto G XT1033

From "Settings > About Chrome"
Application version: 34.0.1847.114
OS: Android 4.4.2

URLs (if applicable):

Behavior in Android Browser (if applicable):
Desktop browsers will check if the website's SSL certificate has been revoked before proceeding to load its contents. Using Firefox desktop, for example, the user will see a warning that the certificate is invalid.

Steps to reproduce:
1. Using Google Chrome, visit grc's website, especially crafted with a revoked certificate.

Expected result:
Red padlock indicating something is wrong with the certificate. Huge warning informing certificate revocation.

Actual result:
The website's contents are displayed with a green padlock, giving no signs of anything wrong to the end user.

In light of the Heartbleed exposure, this website was created by Steve Gibson for the purpose of testing revoked certicates. The certificate used has been revoked on purpose to test if client browsers are checking. If you can read the contents without any warnings, something is definitely wrong.

Status: Available
observed this issue in all devices.
What is the expected behavior? (Green padlock or Red padlock)

Comment 2 by, Apr 14 2014

Expected behaviour would be a red padlock. 

Not sure why the status is "Available" when this is still a bug in the latest versions of Chrome?

Comment 3 by, Apr 16 2014

This is the test site.  Chrome for Windows has Revocation Checking, but it is not enabled by default.  Mobile versions do not seem to support this at all.
@palmer || @rsleevi, are you familiar with this feature at all?
Labels: Cr-Internals-Network-SSL
Status: WontFix
Marking this WontFix for two reasons:

1) Revocation checking is the responsibility of Android and the related SSL APIs. Android itself does not and has never performed revocation checking - use .
2) Revocation checking generally doesn't work (as a security feature), and especially for mobile, greatly affects performance (negatively) and privacy (negatively)

Support for CRLSets is being (meta-)tracked in  Issue 116838  

Sign in to add a comment