Report: Google Chrome's Heartbleed Protection is 'Completely Broken'

Google Chrome and Heartbleed Google engineer Adam Langley published a blog post taking issue with the GRC characterization that Chrome's CRLSet is "completely broken." In the post, Langley said he has always been clear that the measure isn't perfect, but in any event, it's more effective than the revocation checks on by default in other browsers. "And yet, GRC managed to write pages (including cartoons!) exposing the fact that it doesn't cover many revocations and attacking Chrome for it." In fairness to Google a test performed after this article was published showed Chrome blacklisted the TLS certificate Ars revoked three weeks ago. The ability of Google Chrome to block secure website connections compromised by the Heartbleed bug is "completely broken" because the browser by default detects less than three percent of the underlying digital certificates that have been revoked, according to a detailed analysis recently posted online.

Read the full story at Ars Technica.