View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Why is Chrome Shipping with a Revoked Certificate?

Getting certificate management wrong is not uncommon: is Chrome's revoked Verizon cert a security issue though?

By CBR Staff Writer

Google’s Chrome browser, used by over a billion users, is shipping with a revoked root certificate at its heart, says British cybersecurity startup Cybersec Innovation Partners (CIP), claiming the revelation exposes a security issue that has remained unpatched by Google despite their disclosure: an allegation that Google denies.

With expired/revoked certs a perennial enterprise pain point, Computer Business Review set about investigating the allegation, made to us by CIP, with supporting evidence including screen shots of the certificate itself.

CIP – founded in 2018 – provides a PKI/software certificate deep discovery and life cycle management platform  dubbed Whitethorn that initially developed in Germany for a NATO project. The company found the revoked certificate using the tool ,and alerted Google Chrome developers on May 16, to the sound of a resounding shrug.

A screenshot showing the revoked certificate.

Chrome Certificate Issue “Could Leave Users Open to Attack”

CIP’s Paul Foster, former global head of cyber security at HSBC, said: “They notified me on May 24 that this will not be fixed as it would possibly break certificate compression and the only benefit would be reducing the binary size (size of the software driver).”

“Potentially this could open the door to identity spoofing leading to installation and trust of malware as if it came from the vendor itself. So, a user could think they were accessing the log-in page for their internet banking and be on a fraudulent site instead.”

“This could still leave all Chrome users open to attack and certainly shouldn’t be trusted as it breaks the whole chain of trust validation. If users want to be safe, there are alternate browsers in the meantime that could be used until this is remediated.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

With Google Chrome security types proving hard to rouse, Computer Business Review put this to a well-regarded third-party security company, SecureData, whose Andrew Lam took a look at the Chrome.dll file to try to find more details about the cert.

He said: “As illustrated in the PDF [image shared above] the revoked certificate is in the Certificate Revocation List (CRL). Chrome uses the CRL which it pulls it from top CA’s on a regular basis. Therefore Chrome should throw an exception saying the page is not safe! Further more a revoked certificate does not mean it is compromised and not necessarily cracked as it is a SHA256 with RSA 2018 it would be pretty difficult.”

He added: “I have opened up the Certificate file and I cannot find reference to this Verizon certificate but I am on version 75.0.3770.100.”

“Note that a revoked certificate does not mean it is compromised, and not necessarily cracked, as it is a SHA256 with RSA 2018 it would be pretty difficult.”

See also: LinkedIn Lets SSL Certs Lapse (Again)

Chivied for a response, Google emphasised that it is impossible to tell just by looking at the Chrome binary whether a given software certificate is used for a security sensitive purpose, and which is not. CIP had correctly identified that a Chrome certificate had been revoked: and had it been used to determine if a website or connection should be trusted it would certainly be a security bug and patched, they said.

But revoked though it may be, there is no security issue, a spokesman said: “[This cert]  is used as part of an optimisation of the QUIC protocol*, to save bandwidth if that certificate were to be sent by a web server. But if a web server or an attacker were to use the certificate, it would not be trusted by Chrome, and the user would be presented with a full page warning similar to“.

That leaves us little clearer on the precise details of its usage, but not all that glitters, in this instance, is a golden vulnerability, apparently; Google is typically responsive to vulnerability disclosures by security researchers.

CIPs enthusiasm – although the company appears to have been inaccurate about the consequences of Chrome shipping with this particular oddity – meanwhile, is understandable: certificate issues have caused myriad issues for companies over the years, most recently in Ericsson’s (expired certificate-triggered) global network outage in December 2018, which affected some 32 million mobile network users.

Equifax, meanwhile, allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains, prior to a data breach that exposed the personal data of over 143 million people. Keeping an eye on the state of your software certificates is no bad thing and revocations can be for security reasons.

In this instance though, Google’s response: “thanks, but it’s harmless…”

*A UDP-based transport protocol for the internet, developed by Google with the aim of making web pages load faster by using zero-round-trip connection establishment.

Read this: Why Revocation is Broken




Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.