Certificate Revocation in Light of Heartbleed
2 posters
Page 1 of 1
Certificate Revocation in Light of Heartbleed
This Security Certificate Revocation Awareness Test was born from the revelation of the worrisome “Heartbleed” vulnerability that had existed in plain sight for two years without public awareness in the industry standard open source OpenSSL security suite. Go to the link below, read Steve's explanation of this vulnerability and then test your browser.
https://www.grc.com/revocation.htm
-Bill
https://www.grc.com/revocation.htm
-Bill
Last edited by bdahm on Mon Apr 14, 2014 7:45 pm; edited 1 time in total
Re: Certificate Revocation in Light of Heartbleed
This is very interesting. I just tested the two browsers that I use, Firefox and Chrome (Chromium in Linux) and got the same results in each and every test that I did, which is Firefox passed and Chrome flunked.
The different systems that I tested were;
A new build with the Intel G3220 CPU and ASRock H81M motherboard running Xubuntu 13.10.
A very old HP with the Pentium 4 CPU running Windows XP (yep, still using it and will continue til it finally dies).
An Asus notebook with the Intel Atom CPU and dual boot Windows 7 and Xubuntu 12.04.
All systems have been updated with all of the latest security updates and most recent browser versions.
Looks like I'm going to need to be more careful when using Chrome. I'm very interested if other people are getting the same results.
The different systems that I tested were;
A new build with the Intel G3220 CPU and ASRock H81M motherboard running Xubuntu 13.10.
A very old HP with the Pentium 4 CPU running Windows XP (yep, still using it and will continue til it finally dies).
An Asus notebook with the Intel Atom CPU and dual boot Windows 7 and Xubuntu 12.04.
All systems have been updated with all of the latest security updates and most recent browser versions.
Looks like I'm going to need to be more careful when using Chrome. I'm very interested if other people are getting the same results.
higgy88- Posts : 3
Join date : 2014-02-07
Re: Certificate Revocation in Light of Heartbleed
Higgy88 (Howard),
I tested my browsers as well with some surprising results. Using Safari on my Mac gives me a warning message about a revoked certificate, offers to display the certificate and allows me to display the page if I click on the "Continue" button.
When I use Chrome on the same Mac I get the revocation notice as well. Perhaps you should check your Chromium settings. Mine allows me to turn off the revocation setting, but I believe it is on by default. I would think it would be the same in Chromium.
http://d.pr/i/I8su
The big surprise was that in iOS 7.1 on my mobile devices, Safari flunked and I am unable to find a setting that would allow revocation to be turned on. I will have to check the Apple support site to see if there is any mention of this. Neither did Chrome on my iOS devices pass the test. Perhaps Chromium is using the mobile version of Chrome.
-Bill
I tested my browsers as well with some surprising results. Using Safari on my Mac gives me a warning message about a revoked certificate, offers to display the certificate and allows me to display the page if I click on the "Continue" button.
When I use Chrome on the same Mac I get the revocation notice as well. Perhaps you should check your Chromium settings. Mine allows me to turn off the revocation setting, but I believe it is on by default. I would think it would be the same in Chromium.
http://d.pr/i/I8su
The big surprise was that in iOS 7.1 on my mobile devices, Safari flunked and I am unable to find a setting that would allow revocation to be turned on. I will have to check the Apple support site to see if there is any mention of this. Neither did Chrome on my iOS devices pass the test. Perhaps Chromium is using the mobile version of Chrome.
-Bill
Re: Certificate Revocation in Light of Heartbleed
Thanks for that, Bill.
Apparently the Chromium setting to check for certificate revocation is turned off by default on my linux system. I just turned it on and it is now working to block that grc site.
I should also add that my Asus notebook with Windows 7 may not have been as up to date as I had thought. My routine is to update everything just before the MS monthly security updates, and then do a complete system backup. That way, if anything goes wrong with the MS updates and system restore doesn't work, I have a fresh backup I can go back to. I did that last week and then installed the MS updates, and I actually hadn't turned on that computer until this morning, just to check this. Sometime after that, and after I posted the results, I was informed of an active X update, which I installed, and Chrome is now blocking the site. I'm not really sure if that is related or not, or maybe Chrome remotely turned that setting on for me without my knowledge. I'm going to see what my Windows XP computer does tomorrow.
Apparently the Chromium setting to check for certificate revocation is turned off by default on my linux system. I just turned it on and it is now working to block that grc site.
I should also add that my Asus notebook with Windows 7 may not have been as up to date as I had thought. My routine is to update everything just before the MS monthly security updates, and then do a complete system backup. That way, if anything goes wrong with the MS updates and system restore doesn't work, I have a fresh backup I can go back to. I did that last week and then installed the MS updates, and I actually hadn't turned on that computer until this morning, just to check this. Sometime after that, and after I posted the results, I was informed of an active X update, which I installed, and Chrome is now blocking the site. I'm not really sure if that is related or not, or maybe Chrome remotely turned that setting on for me without my knowledge. I'm going to see what my Windows XP computer does tomorrow.
higgy88- Posts : 3
Join date : 2014-02-07
Re: Certificate Revocation in Light of Heartbleed
Like you, I always backup (clone) my system before any major upgrades so there is an alternate version available should something go wrong with the update. I have even done that when there are iTunes updates, because Apple will often make changes there that though minor may remove or change some of the functionality. It's great to be able to go back to where you were.
BTW, Steve Gibson also is going to ride XP to the end. He says, and I updated a posting on XP in the Tech News Section, that there is little wrong with XP as is. Most of the bugs have been fixed over the 13 years of its life. It's the apps (browsers and Office) as well as poor security habits that are the real culprits.
-Bill
BTW, Steve Gibson also is going to ride XP to the end. He says, and I updated a posting on XP in the Tech News Section, that there is little wrong with XP as is. Most of the bugs have been fixed over the 13 years of its life. It's the apps (browsers and Office) as well as poor security habits that are the real culprits.
-Bill
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|