Security vendor Symantec ointed out that pulling out OCSP (Online Certificate Status Protocol) and CRL (certificate revocation list) checks from Google Chrome can have disastrous impact on Google.
For usability reasons, all major browsers currently ignore OCSP and CRL requests that result in network errors by default, in what is known as a soft-fail mechanism. When accessing a website over HTTPS, browsers check whether its SSL certificate has been revoked by the issuing certificate authority (CA). This is done by querying the CA’s OCSP responder or by checking its published certificate revocation list.
On Feb. 5, Google declared that Chrome will stop OCSP and CRL checks in future versions and that these checks are to be replaced with a locally cached list of revoked certificates that will be kept up to date by Google.
The reasons behind the decision are related to performance and security issues. OCSP and CRL requests increase page load times and are susceptible to blocking by man-in-the-middle attackers or captive portals, websites commonly used by Wi-Fi access points to prevent HTTP connections before users authenticate.
