1.17 Ensure 'Enable online OCSP/CRL checks' is set to 'Disabled'

Information

Google Chrome can reactivate soft-fail, online revocation checks although they provide no effective security benefit.

If this setting is disabled, unsecure online OCSP/CRL checks are no longer performed.

The recommended state for this setting is: Disabled (0)

Rationale:

CRLSets are primarily a means by which Chrome can quickly block certificates in emergency situations. As a secondary function they can also contain some number of non-emergency revocations. These latter revocations are obtained by crawling CRLs published by CAs.

Online (i.e. OCSP and CRL) checks are not, by default, performed by Chrome. The underlying system certificate library always performs these checks no matter what Chrome does, so enabling it here is redundant.

An attacker may block OCSP traffic and cause revocation checks to pass in order to cause usage of soft-fail behavior. Furthermore, the browser may leak what website is being accessed and who accesses it to CA servers.

Impact:

None - This is the default behavior.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Enable online OCSP/CRL checks

Default Value:

Unset (Same as Disabled, but user can change)

See Also

https://workbench.cisecurity.org/files/3653

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)

Plugin: Windows

Control ID: f6eeea4b574842bbd5f7a609be328c684cb6358f953ba8c593a8e80bcc45ab2c