When browsers make a connection, they check whether the certificate presented by the server has already been blocked by the certificate authority, using either the certificate authority’s certificate revocation lists (CRLs) or, directly and interactively, the Online Certificate Status Protocol (OCSP). But that whole process has never been completely reliable, since, if the browser isn’t certain of the validity – if, say, an OCSP request doesn’t work – it simply “looks the other way”. Otherwise, there would be too many false alarms.
At the same time, an attacker manipulating SSL connections can generally also interrupt OCSP requests, as clearly demonstrated by tools such as sslsniff. When the breach at Comodo resellers made certificate revocations necessary, browser developers were obliged to embed those revocations into their browsers through updates.
Since OCSP requests significantly extend the loading time for SSL pages even during normal operations, Google plans to make the best of the situation. In future, the online checks will be done away with and replaced with lists that are renewed through an existing update mechanism which doesn’t require the browser to restart and makes the updated lists available immediately. Langley is inviting the certificate authorities to contribute their revocation lists to Google’s browser revocation list before Google implements the changes. Whether, and to what extent, this change will also affect extended validation certificates remains to be seen.