Title

Online revocation checks must be performed. (Cat II impact)

Discussion

By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.

Check Content

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If EnableOnlineRevocationChecks is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the EnableOnlineRevocationChecks value name does not exist or its value data is not set to 1, then this is a finding.

Fix Text

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable online OCSP/CRL checks Policy State: Enabled Policy Value: N/A

Additional Identifiers

Rule ID: SV-221579r879897_rule

Vulnerability ID: V-221579

Group Title: SRG-APP-000605

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.