When a digital certificate {Chapter 12 Security+ 4ed} is issued by a Certificate Authority (CA) it is usually valid for one year, and sometimes longer.  To protect against a situation where a site may lose control of its key, that certificate would need to be revoked.  Currently there are two ways for a Web browser to check on the current status of a certificate.  The first is using a certificate revocation list or CRL {Chapter 12 Security+ 4ed}.  A CRL is essentially a list of certificate serial numbers that have been revoked and are downloaded to the Web browser.  The second method is Online Certificate Status Protocol (OCSP).  OCSP is called a request-response protocol.  The browser sends the certificate's information to a trusted entity known as an OCSP Responder. The OCSP Responder then provides immediate revocation information on that one specific certificate.  Up until now all modern Web browsers (Internet Explorer 7+, Firefox, Safari on Mac OS X, some versions of Opera 8+, and Google Chrome) used OCSP.

   But what happens if the Web browser cannot reach the OCSP Responder server, such as when the server is down?  If the browser receives back the message that there is a network error in reaching the OCSP Responder server (called a "soft-fail") then the revocation check is simply ignored.  An attacker could take advantage of this and make online revocation checks appear to fail and thus bypass the checking process.

   Because of this weakness, Google Chrome has announced that it will no longer support OCSP.  Instead, it will rely entirely on CRLs that are downloaded to Chrome.  Yet unlike other browsers, this downloaded list does not require that Chrome be restarted.

   You can read more about it at http://www.imperialviolet.org/2012/02/05/crlsets.html.

   Stay secure!

http://www.cengage.com/community/infosec