Chrome fails to check SSL certificate revocation on Android

This is another ridiculous fact about our beloved browser, the Chrome. At first, we now know that it doesn’t check for SSL certificate revocation by default, users need to turn on this setting manually as described here. On the other hand, Chrome on Android fails to check for certificate revocation completely, and connects users to a possibly malicious resource instead of the original and trusted resource.




Thankfully, there are few revocation aware browsers on Android including Mozilla’s Firefox which successfully detects SSL certificate revocation. Firefox shows a warning message and terminates connection when users try to open any secured website with revoked certificate.




Other notable ‘revocation aware’ mobile browser is Microsoft’s IE mobile on Windows Phone. It also doesn’t connect to the possibly malicious links and warns users (see the following screenshot).


Users can check their browsers for security certification revocation awareness by visiting a special test page

3 thoughts on “Chrome fails to check SSL certificate revocation on Android”

  1. I have Chrome browser version 33.0.1750.21 on my iPod Touch, and it prevented my connecting to the grc revoked-cert site. Strangely, my brother has the same version of Chrome browser on his iPad, but that DID connect to the revoked site. And as far as I can see there are no settings in the lightweight iOS Chrome browser relating to SSL, so it appears we have identical Chrome browsers giving opposite test results!

  2. Martin:

    First, about Android:
    What APPEARS to be emerging is that Chrome performs NO revocation checking on Android because, unlike Firefox, Chrome relies upon the the underlying OS for all certificate checking functions. See the last comment here from Ryan Sleevi, the developer who manages this:

    The iOS platform reportedly only performs certificate revocation checking for extended validation (EV) certificates. Since they are a tiny minority, Safari and other iOS browsers do very little.

    But Chrome on Safari uses its own “CRLset”, which is a list of automated and/or manually revoked certificates. My “” site was either automatically or manually added to that list a few days ago and the list is propagating. If you check again with your brother you’ll likely find that his instance of Chrome is now also blocking “”. But NOT because it’s blocking ALL revoked sites… only the one’s it has chosen to. (Which is also quite lame, IMO.)

    /Steve Gibson.

  3. @Steve Gibson

    I believe that iOS (IDK about Chrome though) now checks revocation checking for all certificates. I think this is a rather recent change as of iOS 11.

Leave a Comment