TIL Chrome ignores CRL. Instead, it pushes out a curated list of invalidated certificates that it thinks are important enough to know about.
And no, we can't see the list.
So, if my web store is hacked and I invalidate the certificate, Chrome users will never know.
Excellent.
@mwlucas We need to get DANE adopted, all of these CA SSL workarounds just SUCK.
And with ESNI they're not even bothering to pretend that a DNS lookup per request or putting public key information in DNS is "bad" anymore,
I truly believe this is part of Google leaning on Mozilla.
@mwlucas @22decembre Never thought about it.
But the question is 'why?' they don't love the CA cartel, they've undercut the CAs at every opportunity. Their solutions of certificate pinning, certificate transparency, have been shown to be snakeoil and crap at every turn... What do they get by opposing DANE/DNSSEC... ESPECIALLY as they support a DNS powered ESNI?
@mwlucas @22decembre this reminds me of cloudflare's business model. Everything they do/support (ESNI, DoH, DNS) works better/faster if you are their customer, and slower than before if you are not.
@david @22decembre the only secure path is to give the Google all your business. Then they will help you.