[Heartbleed] Check your browser's certificate revocation system

[ross549]

One of the aftereffects of Heartbleed will be mass revocation of certificates. Your browser may or may not know that the certificate is being revoked. Here is a simple way to check.

 

http://revoked.grc.com

 

Steve has set up a special page with a revoked certificate. If you get an alert in your browser that prevents you from going to the page, your browser is receiving revocation properly.

 

NOTE: Chrome may not have revocation turned on by default! Go the advanced settings and make sure the certificate revocation box is checked.

 

I tested this page on the following:

 

OSX- Google Chrome, Firefox, and Safari. All were the latest versions as of April 13. All came up with errors. Safari was the only browser that let me bypass the error.

 

Windows 7- IE 11, Chrome, and Firefox. Again, all were the latest version. All blocked the page.

 

iPhone (ios 7)- Mobile Safari. I got no errors. I was able to see the page perfectly.

 

Let's test our browsers!

[securitybreach]

Chromium (linux) blocks the page as long as you have the option, Check for server certificate revocation, enabled in the settings:

 

 

Firefox gave a warning but still allowed you to load the page.

[ross549]

Which versions?

[Guest LilBambi]

I just tested ALL 5 of the browsers I have on my iPhone. ONLY Opera gave this:

 

 

All the others gave the same as you got, including Google Chrome on iOS.

 

When I try Google Chrome on my Mac it gives me this:

 

the page that says, "This webpage is not available" with the little sad face on the Mac.

 

And the exact same page Josh got in Linux on Google Chrome.

Edited April 13, 2014 by LilBambi

[securitybreach]

Chromium: 34.0.1847.116 (260972)

Firefox: 28.0-1

[Guest LilBambi]

Here's Firefox's response to https://revoked.grc.com

 

 

Exactly as it should.

 

NOW, on the Mac, Google Chrome is giving the same as on iOS! No longer an Apple looking sad face. Weird.

[Guest LilBambi]

Google Chrome version: 34.0.1847.116 on the Mac

 

Firefox version: 28.0 on the Mac

 

Google Chrome version: 34.0.1847.116 on Debian Linux as well.

 

Seems that Google Chrome on the Mac is trusting Apple's revocation list?

 

Yea! Safari working fine after re-enabling in the Apple Keychain. I hope they fixed what was broken before which was why it was turned off in the first place.

Edited April 13, 2014 by LilBambi
edited for change with Chrome and Safari

[Guest LilBambi]

Wait, I am having settings synced but the revocation was not checked like in Linux.

 

I will run it again in Google Chrome now that I checked to verify and found it uncheck on the Mac.

 

There we go, now getting the same thing in Google Chrome on the Mac as I do in Linux ... same image that Josh posted.

 

Yea!

 

Had me worried there for a minute.

[Guest LilBambi]

OK, still something to worry about with OS X 10.7.5 with Safari updated to Version 6.1.3 (7537.75.14) which is still being updated for security patches etc.

 

I get the same page that Adam and I got on Safari on iOS:

 

Security Certificate

Revocation Awareness Test

If you can see this (and apparently you can), you

are using a revocation UNaware web browser!

 

Until you change it in the Keychain App!

 

NOTE: If you turned off Certificate Revocation in the Keychain App, a while back when things were broken there, you need to turn it back on. And hopefully they fixed what was broken for some systems. Works great now for me.

 

The following now shows up at the top of Safari 6.1.3:

 

 

Edited April 13, 2014 by LilBambi
added about keychain app and image for safari 6.1.3

[Guest LilBambi]

Here's the image of what Opera on the Mac gives you with revocation setting enabled:

 

[ross549]

Anyone have any test results from Android?

[Guest LilBambi]

Hopefully we will hear from at least Josh on that one.

[securitybreach]

The page opened without any errors on Chrome on Android 4.4.2.

 

Firefox on Android shows this error:

 

 

 

Also, the lastpass browser shows the page without an error.

[sunrat]

NOTE: Chrome may not have revocation turned on by default! Go the advanced settings and make sure the certificate revocation box is checked.

Let's test our browsers!

Tested with Iceweasel 30.0a2 - OK!

Tested with Google Chrome 34.0.1847.116 - OK after changing revocation setting!

 

Thanks Adam

[mac]

Tested with IE10 on WIN7 Pro 64bit - O.K.

[ross549]

Anyone have a XP install they'd be willing to test IE8 with?

[zlim]

I do. I have to reboot the computer I'm currently on but I will do it and report back.

 

Here's what you get on IE 8 in XP

looks good to me.

Edited April 14, 2014 by zlim

[ross549]

Excellent! I think we can safely say that if you are running a browser other than Google Chrome, you are generally protected by default on Windows, OSX, and Linux.

 

If you are running Chrome/Chromium- Menu -> Settings -> Advanced Settings -> HTTPS area -> Make sure REVOKE CERTIFICATES is checked!

 

Adam

[Guest LilBambi]

Yes, if you sync Google Chrome, make sure that particular setting is in fact syncing. It wasn't on my Mac but I think it saw a conflict due to an earlier problem in Google Chrome with the Certificates for some folks running Macs who may have had to disable the certificate settings in KeyChain App.

 

BTW: I no longer need to disable those setting in the KeyChain App. Apple must have corrected it somewhere along the way.