ross549 Posted April 13, 2014 Share Posted April 13, 2014 One of the aftereffects of Heartbleed will be mass revocation of certificates. Your browser may or may not know that the certificate is being revoked. Here is a simple way to check. http://revoked.grc.com Steve has set up a special page with a revoked certificate. If you get an alert in your browser that prevents you from going to the page, your browser is receiving revocation properly. NOTE: Chrome may not have revocation turned on by default! Go the advanced settings and make sure the certificate revocation box is checked. I tested this page on the following: OSX- Google Chrome, Firefox, and Safari. All were the latest versions as of April 13. All came up with errors. Safari was the only browser that let me bypass the error. Windows 7- IE 11, Chrome, and Firefox. Again, all were the latest version. All blocked the page. iPhone (ios 7)- Mobile Safari. I got no errors. I was able to see the page perfectly. Let's test our browsers! Quote Link to comment Share on other sites More sharing options...
securitybreach Posted April 13, 2014 Share Posted April 13, 2014 Chromium (linux) blocks the page as long as you have the option, Check for server certificate revocation, enabled in the settings: Firefox gave a warning but still allowed you to load the page. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 13, 2014 Author Share Posted April 13, 2014 Which versions? Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 (edited) I just tested ALL 5 of the browsers I have on my iPhone. ONLY Opera gave this: All the others gave the same as you got, including Google Chrome on iOS. When I try Google Chrome on my Mac it gives me this: the page that says, "This webpage is not available" with the little sad face on the Mac. And the exact same page Josh got in Linux on Google Chrome. Edited April 13, 2014 by LilBambi Quote Link to comment Share on other sites More sharing options...
securitybreach Posted April 13, 2014 Share Posted April 13, 2014 Chromium: 34.0.1847.116 (260972) Firefox: 28.0-1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 Here's Firefox's response to https://revoked.grc.com Exactly as it should. NOW, on the Mac, Google Chrome is giving the same as on iOS! No longer an Apple looking sad face. Weird. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 (edited) Google Chrome version: 34.0.1847.116 on the Mac Firefox version: 28.0 on the Mac Google Chrome version: 34.0.1847.116 on Debian Linux as well. Seems that Google Chrome on the Mac is trusting Apple's revocation list? Yea! Safari working fine after re-enabling in the Apple Keychain. I hope they fixed what was broken before which was why it was turned off in the first place. Edited April 13, 2014 by LilBambi edited for change with Chrome and Safari Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 Wait, I am having settings synced but the revocation was not checked like in Linux. I will run it again in Google Chrome now that I checked to verify and found it uncheck on the Mac. There we go, now getting the same thing in Google Chrome on the Mac as I do in Linux ... same image that Josh posted. Yea! Had me worried there for a minute. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 (edited) OK, still something to worry about with OS X 10.7.5 with Safari updated to Version 6.1.3 (7537.75.14) which is still being updated for security patches etc. I get the same page that Adam and I got on Safari on iOS: Security Certificate Revocation Awareness Test If you can see this (and apparently you can), you are using a revocation UNaware web browser! Until you change it in the Keychain App! NOTE: If you turned off Certificate Revocation in the Keychain App, a while back when things were broken there, you need to turn it back on. And hopefully they fixed what was broken for some systems. Works great now for me. The following now shows up at the top of Safari 6.1.3: Edited April 13, 2014 by LilBambi added about keychain app and image for safari 6.1.3 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 Here's the image of what Opera on the Mac gives you with revocation setting enabled: Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 13, 2014 Author Share Posted April 13, 2014 Anyone have any test results from Android? Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 Hopefully we will hear from at least Josh on that one. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted April 13, 2014 Share Posted April 13, 2014 The page opened without any errors on Chrome on Android 4.4.2. Firefox on Android shows this error: Also, the lastpass browser shows the page without an error. Quote Link to comment Share on other sites More sharing options...
sunrat Posted April 14, 2014 Share Posted April 14, 2014 NOTE: Chrome may not have revocation turned on by default! Go the advanced settings and make sure the certificate revocation box is checked.Let's test our browsers! Tested with Iceweasel 30.0a2 - OK!Tested with Google Chrome 34.0.1847.116 - OK after changing revocation setting! Thanks Adam 1 Quote Link to comment Share on other sites More sharing options...
mac Posted April 14, 2014 Share Posted April 14, 2014 Tested with IE10 on WIN7 Pro 64bit - O.K. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 14, 2014 Author Share Posted April 14, 2014 Anyone have a XP install they'd be willing to test IE8 with? Quote Link to comment Share on other sites More sharing options...
zlim Posted April 14, 2014 Share Posted April 14, 2014 (edited) I do. I have to reboot the computer I'm currently on but I will do it and report back. Here's what you get on IE 8 in XP looks good to me. Edited April 14, 2014 by zlim Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 14, 2014 Author Share Posted April 14, 2014 Excellent! I think we can safely say that if you are running a browser other than Google Chrome, you are generally protected by default on Windows, OSX, and Linux. If you are running Chrome/Chromium- Menu -> Settings -> Advanced Settings -> HTTPS area -> Make sure REVOKE CERTIFICATES is checked! Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 15, 2014 Share Posted April 15, 2014 Yes, if you sync Google Chrome, make sure that particular setting is in fact syncing. It wasn't on my Mac but I think it saw a conflict due to an earlier problem in Google Chrome with the Certificates for some folks running Macs who may have had to disable the certificate settings in KeyChain App. BTW: I no longer need to disable those setting in the KeyChain App. Apple must have corrected it somewhere along the way. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.