Your message dated Wed, 30 Apr 2014 19:22:25 +0200
with message-id <53613151.7070...@debian.org>
and subject line Re: [Pkg-chromium-maint] Bug#745646: closed by Michael Gilbert
<mgilb...@debian.org> (Re: Bug#745646: chromium: certificate revocation is not
checked)
has caused the Debian Bug report #745646,
regarding chromium: CRLSet (for certificate revocation checking) silently
remains outdated
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
745646: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745646
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: chromium
Version: 34.0.1847.116-2
Severity: grave
Tags: security
Justification: user security hole
Certificate revocation is not checked: chromium gives no errors on
https://www.cloudflarechallenge.com/
contrary to Iceweasel. See attached snapshot.
It seems to be a Debian specific bug.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.11-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages chromium depends on:
ii chromium-inspector 34.0.1847.116-2
ii gconf-service 3.2.6-2
ii libasound2 1.0.27.2-3
ii libatk1.0-0 2.12.0-1
ii libc6 2.18-4
ii libcairo2 1.12.16-2
ii libcap2 1:2.22-1.2
ii libcups2 1.7.2-1
ii libdbus-1-3 1.8.0-3
ii libexpat1 2.1.0-4
ii libfontconfig1 2.11.0-5
ii libfreetype6 2.5.2-1
ii libgcc1 1:4.9-20140411-2
ii libgconf-2-4 3.2.6-2
ii libgcrypt11 1.5.3-4
ii libgdk-pixbuf2.0-0 2.30.6-1
ii libglib2.0-0 2.40.0-2
ii libgnome-keyring0 3.8.0-2
ii libgtk2.0-0 2.24.23-1
ii libjpeg8 8d-2
ii libnspr4 2:4.10.4-1
ii libnss3 2:3.16-1
ii libpango-1.0-0 1.36.3-1
ii libpangocairo-1.0-0 1.36.3-1
ii libspeechd2 0.8-6
ii libspeex1 1.2~rc1.1-1
ii libstdc++6 4.9-20140411-2
ii libudev1 204-8
ii libx11-6 2:1.6.2-1
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-1
ii libxext6 2:1.3.2-1
ii libxfixes3 1:5.0.1-1
ii libxi6 2:1.7.2-1
ii libxml2 2.9.1+dfsg1-3
ii libxrender1 1:0.9.8-1
ii libxslt1.1 1.1.28-2
ii libxss1 1:1.2.2-1
ii libxtst6 2:1.2.2-1
ii xdg-utils 1.1.0~rc1+git20111210-7
chromium recommends no packages.
Versions of packages chromium suggests:
pn chromium-l10n <none>
pn mozplugger <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi,
On 30/04/2014 02:28, Vincent Lefevre wrote:
> No, Chromium developers tell users not to enable it, and consider
> it as an obsolete option that will be removed. Indeed, in case of
> real MITM attack, the attacker can block the OCSP server, in which
> case Chromium will silently consider the certificate as valid, and
> this is complete non-sense! Said otherwise, revocation checking in
> Chromium can work only when it is not needed. So, to do the real
> check, you must not enable this option, just rely on the CRLSet.
*Please stop to reopen this bug.*
That check is not enabled by default because it doesn't meaningfully add
to security. Benefits of online revocation checking are insignificant
and it compromises privacy (CA knows the IP address of users and sites
they are visiting).
Cheers,
Giuseppe.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
