We will be doing maintenance work on Vivaldi Translate on the 11th of May starting at 03:00 (UTC) (see the time in your time zone).
Some downtime and service disruptions may be experienced.
Thanks in advance for your patience.
How to enable Online Certificate Status Protocol for Chromium
-
Firefox has the ability to hard-fail when the revocation status of a certificate cannot be found.
Internet Explorer and Edge check for revoked certificates, but do not have the option to hard-fail, but can be given the ability (see below).
Chromium relies on Googles own hand-maintained list which does not work as well as they claim. The original feature was removed and disabled by Google because "it is too confusing" and "without a hard-fail is pointless".
You can add the function back and add a hard-fail.To enable OCSP/CRL (online certificate revocation status) in Chromium based browsers you must either use the Windows group policy editor or add a registry entry.
You should read the extended info to make sure you know what you are doing.https://www.chromium.org/administrators/policy-list-3#EnableOnlineRevocationChecks
https://www.chromium.org/administrators/policy-list-3#RequireOnlineRevocationChecksForLocalAnchorsYou may need to change the name of the Policy key to the name of your chromium browser, eg. we need to use Vivaldi
If you add it to the registry save a bookmark so you can find it quickly again.
For your convenience you can use this to enable by pasting to a *.TXT file and renaming as *.REG;Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Policies\Vivaldi] "EnableOnlineRevocationChecks"=dword:00000001 "RequireOnlineRevocationChecksForLocalAnchors"=dword:00000001And to disable;
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Policies\Vivaldi] "EnableOnlineRevocationChecks"=- "RequireOnlineRevocationChecksForLocalAnchors"=-Once enabled you should see it set to "true" if you go to the internal page
vivaldi://policyYou should consider using with Steve Gibsons Windows Revocation Registry Script.
https://www.grc.com/revocation/implementations.htmImportant Note: Once Internet Explorer/Edge has seen that a cert is good Chrome also will, but if you first visit with a chromium browser and it fails to contact the revocation URL, it will still fail no matter how many times you retry.
If you get failures try IE or Edge and then as if by magic it will be fixed in the other browser.This highlights how broken it is in Chromium, so only enable it if you feel you must have the extra validation and can deal with the occasional use of the OS browser.
I have only had a problem with 4 sites so far after a few days of testing.Extra reading:
An Evaluation of the Effectiveness of Chrome's CRLSets
https://www.grc.com/revocation/crlsets.htm
The case for “OCSP Must-Staple”
https://www.grc.com/revocation/ocsp-must-staple.htm
(These articles are several years old, so you will find updated info at the bottom) -
Ppafflick moved this topic from Security & Privacy on
